Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2020-7656 Description: jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 6.1 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/182264 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2020-11023 Description: In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CVSS Base Score: 6.1 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/181350 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2020-11022 Description: In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. CVSS Base Score: 6.1 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/181349 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) PRODUCTS AFFECTED IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express IBM BPM IBM Business Automation Workflow
Local fix
Problem summary
No additional information is available.
Problem conclusion
A fix that updates the versions of JQuery used by the legacy Lombardi Portal is planned for inclusion in the latest fix packs of IBM BPM 8.0.1.3, IBM BPM 8.5 and 8.6, the latest two fix packs of Business Automation Workflow, and all future deliverables.
Temporary fix
Comments
APAR Information
APAR number
JR62354
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
K00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-05-27
Closed date
2020-09-03
Last modified date
2020-09-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"20.0.0.1"}]
Document Information
Modified date:
14 December 2020