JR60499: SECURITY APAR CVE-2018-1997 - VULNERABILITIES IN REST CALL IN WEB PROCESS DESIGNER

8.6.10018002-WS-BPM-IFJR60499
8.6.10018001-WS-BPM-IFJR60499
8.6.0.201803-WS-BPM-IFJR60499
8.6.0.201712-WS-BPM-IFJR60499
8.5.7.201706-WS-BPM-IFJR60499
8.5.6.2-WS-BPM-IFJR60499
8.5.5.0-WS-BPM-IFJR60499
workflow.19001.delta.repository

APAR status

• Closed as program error.

Error description

• CVEID: CVE-2018-1997
  DESCRIPTION: IBM Business Automation Workflow and Business
  Process Manager are vulnerable to a denial of service attack. An
  authenticated attacker might send a specially crafted request
  that exhausts server-side memory.
  CVSS Base Score: 4.3
  CVSS Temporal Score:
  See https://exchange.xforce.ibmcloud.com/vulnerabilities/154774 
  for the current score
  CVSS Environmental Score*: Undefined
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
  
  PRODUCTS AFFECTED
  IBM Business Automation Workflow
  IBM Business Process Manager (BPM)
  IBM BPM Advanced
  IBM BPM Standard
  IBM BPM Express
  

Local fix

Problem summary

• A vulnerability exists in some Business Automation Workflow REST
   APIs where an HTTP request with long lines could hang the
  server and prevent service.
  

Problem conclusion

• A fix that reads the input of the affected APIs in small chunks
  and truncates lines that are beyond the expected length is
  available for IBM BPM V8.5.5.0, V8.5.6.0 cumulative fix (CF) 2,
  V8.5.7.0 CF2017.06, V8.6.0.0 CF2018.12, V8.6.0.0 CF2018.03,
  Business Autiomation Workflow 18.0.0.1 and 18.0.0.2, and will be
   included in future releases of Business Automation Workflow.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUS AUTO WORKFL

• Fixed component ID

  5737H4100

Applicable component levels