JR61972: SECURITY APAR - MULTIPLE VULNERABILITIES IN IBM SDK FOR NODE.JS MIGHT AFFECT THE IBM BPM CONFIGURATION EDITOR

Direct links to fixes

workflow.20001.delta.repository
8.6.10019003-WS-BPM-IFJR61972
8.6.10019002-WS-BPM-IFJR61972
8.6.10019001-WS-BPM-IFJR61972
8.6.10018001-WS-BPM-IFJR61972
8.6.0.201803-WS-BPM-IFJR61972
8.5.7.201706-WS-BPM-IFJR61972

APAR status

Closed as program error.

Error description

CVEID:   CVE-2019-15606
DESCRIPTION:   Node.js could allow a remote attacker to bypass
security restrictions, caused by an issue when HTTP header
values do not have trailing OWS trimmed. By sending a
specially-crafted request, an attacker could exploit this
vulnerability to bypass authorization based on header value
comparisons.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/175914 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2019-15604
DESCRIPTION:   Node.js is vulnerable to a denial of service,
caused by improper certificate validation. By sending a
specially-crafted X.509 certificate, a remote attacker could
exploit this vulnerability to cause the process to abort.
CVSS Base score: 5.3
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/175912 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2019-15605
DESCRIPTION:   Node.js vulnerable to HTTP request smuggling,
caused by a flaw when handling unusual Transfer-Encoding HTTP
header. By sending a specially-crafted request, an attacker
could exploit this vulnerability to poison the web cache, bypass
web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/175913 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Local fix

Use a text editor to modify the BPMConfig properties files. For
more information, see "Configuration properties for the
BPMConfig command"
(https://www.ibm.com/support/knowledgecenter/SS8JB4/com.ibm.wbpm
.ref.doc/topics/samplecfgprops.html).

Problem summary

No additional information is available.

Problem conclusion

A fix is available or will be available that updates the version
 of Node.js that is used in the Configuration editor.

Temporary fix

Comments

APAR Information

APAR number
JR61972
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
J00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-02-12
Closed date
2020-06-01
Last modified date
2025-07-13

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1","Line of Business":{"code":"LOB76","label":"Data Platform"}}]

Document Information

Modified date:
14 July 2025

Tips

JR61972: SECURITY APAR - MULTIPLE VULNERABILITIES IN IBM SDK FOR NODE.JS MIGHT AFFECT THE IBM BPM CONFIGURATION EDITOR

Direct links to fixes

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?