IBM Support

JR64322: SECURITY APAR - MULTIPLE CVES - VULNERABILITIES IN NODE.JS MIGHTAFFECT THE IBM BPM CONFIGURATION EDITOR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2021-22959
    Description: Node.js  is vulnerable to HTTP request smuggling,
    caused by an error related to a space in headers. A remote
    attacker could send a specially-crafted request with a space
    (SP) right after the header name before the colon to lead to
    HTTP Request Smuggling (HRS). An attacker could exploit this
    vulnerability to poison the web cache, bypass web application
    firewall protection, and conduct XSS attacks.
    CVSS Base Score: 6.5
    CVSS Temporal Score:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/211168 for
    more information
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
    
    
    CVEID: CVE-2021-22960
    Description: Node.js  is vulnerable to HTTP request smuggling,
    caused by an error when parsing the body of chunked requests. A
    remote attacker could send a specially-crafted request to lead
    to HTTP Request Smuggling (HRS). An attacker could exploit this
    vulnerability to poison the web cache, bypass web application
    firewall protection, and conduct XSS attacks.
    CVSS Base Score: 6.5
    CVSS Temporal Score:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/211171 for
    more information
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
    

Local fix

  • Use a text editor to modify the BPMConfig properties files. For
    more information, see "Configuration properties for the
    BPMConfig command"
    (https://www.ibm.com/docs/en/baw/20.x?topic=utility-configuratio
    n-properties-bpmconfig-command).
    

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix that updates the version of Node.js that is used in the
    Configuration editor will be available in a future release of
    Business Automation Workflow.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR64322

  • Reported component name

    BUS AUTO WORKFL

  • Reported component ID

    5737H4100

  • Reported release

    L00

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-11-02

  • Closed date

    2022-02-10

  • Last modified date

    2022-02-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BUS AUTO WORKFL

  • Fixed component ID

    5737H4100

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.2"}]

Document Information

Modified date:
10 February 2022