JR62922: SECURITY APAR - CVE-2020-5258, CVE-2020-5259, AND CVE-2019-10785 AFFECT THE IBM BUSINESS AUTOMATION APPLICATION PATTERN

APAR status

Closed as program error.

Error description

The following security issues in the IBM Business Automation
Application pattern occur because of CVE-2020-5258,
CVE-2020-5259, and CVE-2019-10785.

CVEID:   CVE-2020-5258
DESCRIPTION:   Dojo dojo could allow a remote attacker to inject
arbitrary code on the system, caused by a prototype pollution
flaw. By injecting other values, an attacker could exploit this
vulnerability to overwrite, or pollute, a JavaScript application
object prototype of the base object.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/177751 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2020-5259
DESCRIPTION:   Dojo dojox could allow a remote attacker to
inject arbitrary code on the system, caused by a prototype
pollution flaw. By injecting other values, an attacker could
exploit this vulnerability to overwrite, or pollute, a
JavaScript application object prototype of the base object.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/177752 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:   CVE-2019-10785
DESCRIPTION:   Dojox is vulnerable to cross-site scripting,
caused by improper validation of user-supplied input by the
dojox.xmpp.util.xmlEncode. A remote attacker could exploit this
vulnerability to execute script in a victim's Web browser within
the security context of the hosting Web site. An attacker could
use this vulnerability to steal the victim's cookie-based
authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/176460 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

PRODUCTS AFFECTED
IBM Cloud Pak for Automation - Business Automation Application
IBM Cloud Pak for Automation - Business Automation Studio
IBM Cloud Pak for Automation - Business Automation Workflow

Local fix

Problem summary

No additional information is available.

Problem conclusion

A fix is available for the last fix pack of all affected
supported releases as well as the last two releases of Single
Stream Continuous Delivery (SSCD).

Temporary fix

Comments

APAR Information

APAR number
JR62922
Reported component name
CLOUD PAK FOR A
Reported component ID
5737I2300
Reported release
K00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-10-27
Closed date
2020-12-15
Last modified date
2020-12-15

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
CLOUD PAK FOR A
Fixed component ID
5737I2300

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"K00","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 March 2022

Tips

JR62922: SECURITY APAR - CVE-2020-5258, CVE-2020-5259, AND CVE-2019-10785 AFFECT THE IBM BUSINESS AUTOMATION APPLICATION PATTERN

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?