IBM Support

JR64322: SECURITY APAR - MULTIPLE CVES - VULNERABILITIES IN NODE.JS MIGHTAFFECT THE IBM BPM CONFIGURATION EDITOR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

8.6.20021020-WS-BPM-IFJR64322
8.6.20020002-WS-BPM-IFJR64322
8.6.10019003-WS-BPM-IFJR64322
8.6.0.201803-WS-BPM-IFJR64322
8.5.7.201706-WS-BPM-IFJR64322

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2021-22959
Description: Node.js  is vulnerable to HTTP request smuggling,
caused by an error related to a space in headers. A remote
attacker could send a specially-crafted request with a space
(SP) right after the header name before the colon to lead to
HTTP Request Smuggling (HRS). An attacker could exploit this
vulnerability to poison the web cache, bypass web application
firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.5
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/211168 for
more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)


CVEID: CVE-2021-22960
Description: Node.js  is vulnerable to HTTP request smuggling,
caused by an error when parsing the body of chunked requests. A
remote attacker could send a specially-crafted request to lead
to HTTP Request Smuggling (HRS). An attacker could exploit this
vulnerability to poison the web cache, bypass web application
firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.5
CVSS Temporal Score:
https://exchange.xforce.ibmcloud.com/vulnerabilities/211171 for
more information
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Local fix

  • Use a text editor to modify the BPMConfig properties files. For
more information, see "Configuration properties for the
BPMConfig command"
(https://www.ibm.com/docs/en/baw/20.x?topic=utility-configuratio
n-properties-bpmconfig-command).

Problem summary

  • No additional information is available.

Problem conclusion

  • A fix that updates the version of Node.js that is used in the
Configuration editor will be available in a future release of
Business Automation Workflow.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR64322
    • 

  • Reported component name
    BUS AUTO WORKFL
    • 

  • Reported component ID
    5737H4100
    • 

  • Reported release
    L00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-11-02
    • 

  • Closed date
    2022-02-10
    • 

  • Last modified date
    2022-02-10
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BUS AUTO WORKFL
    • 

  • Fixed component ID
    5737H4100
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.2"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 February 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback