CVE-2025-36059
📋 TL;DR
This vulnerability in IBM Business Automation Workflow containers allows local users with container access to execute arbitrary operating system commands. It affects IBM Business Automation Workflow versions 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006, as well as IBM Cloud Pak for Business Automation deployments using these versions.
💻 Affected Systems
- IBM Business Automation Workflow
- IBM Cloud Pak for Business Automation
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
A malicious local user could gain full control of the container, potentially leading to data theft, privilege escalation, or lateral movement to other systems.
Likely Case
Local users with legitimate access could abuse this vulnerability to execute unauthorized commands, potentially compromising container integrity and accessing sensitive data.
If Mitigated
With proper access controls and container isolation, impact is limited to the specific container instance without affecting the host system or other containers.
🎯 Exploit Status
Exploitation requires local access to the container. No authentication bypass needed beyond container access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM Business Automation Workflow 25.0.0 Interim Fix 003, 24.0.1 Interim Fix 006, or 24.0.0 Interim Fix 007
Vendor Advisory: https://www.ibm.com/support/pages/node/7256777
Restart Required: Yes
Instructions:
1. Download the appropriate interim fix from IBM Fix Central. 2. Apply the fix following IBM's container update procedures. 3. Restart the affected containers. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Restrict Container Access
linuxLimit local access to containers to only authorized users and processes.
# Use Kubernetes RBAC or container runtime security policies
# Example: kubectl create rolebinding restricted-access --role=view --user=authorized-user --namespace=target-namespace
Implement Container Security Policies
linuxUse container security tools to restrict system call execution.
# Use seccomp profiles or AppArmor/SELinux policies
# Example: docker run --security-opt seccomp=profile.json your-container
🧯 If You Can't Patch
- Implement strict access controls to limit who can access containers.
- Use container runtime security features to restrict system call execution.
🔍 How to Verify
Check if Vulnerable:
Check your IBM Business Automation Workflow version against affected versions. If running affected versions in containers, you are vulnerable.Check Version:
# For IBM Business Automation Workflow containers, check version in container logs or configuration filesVerify Fix Applied:
Verify the applied interim fix version matches or exceeds the patched versions listed in the vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual system command execution from container processes
- Unexpected process creation within containers
- Container escape attempts in logs
Network Indicators:
- Unusual outbound connections from containers to internal systems
- Container-to-container communication not in normal patterns
SIEM Query:
container.runtime=* AND event.action="exec" AND process.name NOT IN ("expected-processes")