Direct links to fixes
APAR status
Closed as program error.
Error description
This interim fix removes the IBM Knowledge Center Customer Installed (KCCI) .ear and .war files, which enabled you to access the documentation offline, because they contain the following security vulnerabilities. With this interim fix applied, the PUBLIC_KC property points to the IBM Documentation available online. CVEID: CVE-2021-23358 DESCRIPTION: Node.js underscore module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the template function. By sending a specially-crafted argument using the variable property, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198958 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2018-3824 DESCRIPTION: Elastic X-Pack Machine Learning is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150286 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-7611 DESCRIPTION: Elastic Elasticsearch could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an improper permission issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain privileges. CVSS Base score: 8.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159335 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2021-29425 DESCRIPTION: Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199852 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2020-7021 DESCRIPTION: Elasticsearch could allow a local authenticated attacker to obtain sensitive information, caused by an error when audit logging and the emit_request_body option is enabled. By opening the audit log, a local authenticated attacker could obtain password hashes or authentication tokens and use this information to launch further attacks against the affected system. CVSS Base score: 1.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196943 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-3823 DESCRIPTION: Elastic X-Pack Machine Learning is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150287 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2020-7020 DESCRIPTION: Elastic Enterprise Search could allow a remote authenticated attacker to obtain sensitive information, caused by not properly preserving security permissions in search queries. By sending a search request, a remote attacker could exploit this vulnerability to disclose the existence of documents. CVSS Base score: 3.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190409 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2020-8908 DESCRIPTION: Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
Local fix
N/A
Problem summary
No additional information is available.
Problem conclusion
Use the public online documentation.
Temporary fix
Comments
APAR Information
APAR number
JR64096
Reported component name
BPM
Reported component ID
5737A5700
Reported release
860
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-08-24
Closed date
2021-09-24
Last modified date
2021-09-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM
Fixed component ID
5737A5700
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFPJS","label":"IBM Business Process Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6.0.0"}]
Document Information
Modified date:
14 September 2022