CVE-2022-38710 - Exposing Sensitive Version Details in IBM Robotic Process Automation

In 2022, a security vulnerability was found in IBM Robotic Process Automation (RPA) versions 21..1 and 21..2. This issue, tracked as CVE-2022-38710 and known within IBM’s X-Force database as 234292, might seem minor at first look. But information disclosure issues like this can help attackers find bigger holes. If you run an at-risk IBM RPA, this post walks you through what’s exposed, why it matters, and what you can do about it.

What Exactly Is the Problem?

IBM RPA lets companies build software robots that automate repetitive tasks. Unfortunately, versions 21..1 and 21..2 expose detailed version information. Anyone with access to the product’s login page or API can see precise version numbers—data that should remain private.

Why’s that bad? Because public version numbers let hackers easily search for the specific weaknesses tied to those versions. It’s like announcing to a burglar exactly which model of lock you have on your front door.

How Is the Info Leaked?

The version info can be displayed in several places. For example, APIs can return a banner that gives away the exact version. In some interfaces, the web page’s footer or headers might show the RPA release number.

Here’s a simulated example of a vulnerable API response

{
  "product": "IBM Robotic Process Automation",
  "version": "21..1",
  "build": "12345",
  "status": "OK"
}

Or, during sign-in, you might see

Welcome to IBM Robotic Process Automation - Version 21..2

With tools like curl, an attacker could run

curl -I http://your-rpa-app:808/

And see headers such as

Server: IBM-RPA-21..1

Lookup Known Vulnerabilities

They can search databases like NVD for bugs in that exact release.

Craft Targeted Exploits

If your version is behind on patches, the attacker may use public exploits that work only on that version.

Spearfishing for Admins

Attackers may craft emails that look exactly like product alerts or admin messages, tailored to that version.

How Would an Attacker Find This?

This is a low-skill vulnerability to check.

Visit the login web page and check for version numbers in the interface or page source.

- Make a simple HTTP GET request to the public-facing RPA server and look for version strings in the headers or body.
- Use tools like Shodan to scan for exposed IBM RPA endpoints on the public internet.

*No authentication is needed to get the information.*

IBM Security Bulletin (Original source):

https://www.ibm.com/support/pages/node/6820175

NIST National Vulnerability Database:

https://nvd.nist.gov/vuln/detail/CVE-2022-38710

How To Fix It?

IBM suggests updating to a fixed version where version details are not publicly disclosed.

Should You Be Worried?

It’s “just” version information, not a full exploit. But in cyber defense, every small leak matters. Don’t give hackers an easy map to your weaknesses. Update your RPA and audit all systems for unnecessary info leaks.

Final Thoughts

CVE-2022-38710 is a classic reminder: hiding the version number is an easy win for security. If you use IBM Robotic Process Automation 21..1/21..2, don’t delay. Audit your systems and upgrade—the bad guys might already be looking.

For further reading and official updates, check out IBM’s support page.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 15:13:00 UTC