December 17, 2021
Categorized: Critical Severity
Share this post:
Process Federation Server (PFS), shipped with IBM Business Automation Workflow (BAW), is vulnerable to a vulnerability caused by log4j. The vulnerability is included in the ElasticSearch client library used by PFS. The ElasticSearch vulnerable library was also shipped in offline documentation. The vulnerable library has already been removed with a prior security bulletin (linked from the Remediation/Fixes section).
Affected product(s) and affected version(s):
|IBM Business Automation Workflow
Earlier versions of IBM Business Automation Workflow and of IBM Business Process Manager are affected indirectly through WebSphere Application Server (see link to WebSphere Application Server bulletin in Remediation/Fixes section). If the vulnerable version of Log4j was added or used in custom applications, those customer applications may be affected.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/pages/node/6527768
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/214921