IBM Support

JR64096: SECURITY APAR CVEs - THE FUNCTION TO ACCESS THE DOCUMENTATION OFFLINE HAS THE FOLLOWING SECURITY VULNERABILITIES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • This interim fix removes the IBM Knowledge Center Customer
    Installed (KCCI) .ear and .war files, which enabled you to
    access the documentation offline, because they contain the
    following security vulnerabilities. With this interim fix
    applied, the PUBLIC_KC property points to the IBM Documentation
    available online.
    
    CVEID:   CVE-2021-23358
    DESCRIPTION:   Node.js underscore module could allow a remote
    attacker to execute arbitrary code on the system, caused by a
    flaw in the template function. By sending a specially-crafted
    argument using the variable property, an attacker could exploit
    this vulnerability to execute arbitrary code on the system.
    CVSS Base score: 9.8
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/198958 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
    
    CVEID:   CVE-2018-3824
    DESCRIPTION:   Elastic X-Pack Machine Learning is vulnerable to
    cross-site scripting, caused by improper validation of
    user-supplied input. A remote authenticated attacker could
    exploit this vulnerability to inject malicious script into a Web
    page which would be executed in a victim's Web browser within
    the security context of the hosting Web site, once the page is
    viewed. An attacker could use this vulnerability to steal the
    victim's cookie-based authentication credentials.
    CVSS Base score: 5.4
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/150286 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
    
    CVEID:   CVE-2019-7611
    DESCRIPTION:   Elastic Elasticsearch could allow a remote
    authenticated attacker to gain elevated privileges on the
    system, caused by an improper permission issue. By sending a
    specially-crafted request, an attacker could exploit this
    vulnerability to gain privileges.
    CVSS Base score: 8.8
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/159335 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
    
    CVEID:   CVE-2021-29425
    DESCRIPTION:   Apache Commons IO could allow a remote attacker
    to traverse directories on the system, caused by improper input
    validation by the FileNameUtils.normalize method. An attacker
    could send a specially-crafted URL request containing "dot dot"
    sequences (/../) to view arbitrary files on the system.
    CVSS Base score: 7.5
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/199852 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
    
    CVEID:   CVE-2020-7021
    DESCRIPTION:   Elasticsearch could allow a local authenticated
    attacker to obtain sensitive information, caused by an error
    when audit logging and the emit_request_body option is enabled.
    By opening the audit log, a local authenticated attacker could
    obtain password hashes or authentication tokens and use this
    information to launch further attacks against the affected
    system.
    CVSS Base score: 1.9
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/196943 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)
    
    CVEID:   CVE-2018-3823
    DESCRIPTION:   Elastic X-Pack Machine Learning is vulnerable to
    cross-site scripting, caused by improper validation of
    user-supplied input. A remote authenticated attacker could
    exploit this vulnerability to inject malicious script into a Web
    page which would be executed in a victim's Web browser within
    the security context of the hosting Web site, once the page is
    viewed. An attacker could use this vulnerability to steal the
    victim's cookie-based authentication credentials.
    CVSS Base score: 5.4
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/150287 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
    
    CVEID:   CVE-2020-7020
    DESCRIPTION:   Elastic Enterprise Search could allow a remote
    authenticated attacker to obtain sensitive information, caused
    by not properly preserving security permissions in search
    queries. By sending a search request, a remote attacker could
    exploit this vulnerability to disclose the existence of
    documents.
    CVSS Base score: 3.1
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/190409 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
    
    CVEID:   CVE-2020-8908
    DESCRIPTION:   Guava could allow a remote authenticated attacker
    to bypass security restrictions, caused by a temp directory
    creation vulnerability in
    com.google.common.io.Files.createTempDir(). By sending a
    specially-crafted request, an attacker could exploit this
    vulnerability to bypass access restrictions.
    CVSS Base score: 5.4
    CVSS Temporal Score: See:
    https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for
    the current score.
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)
    

Local fix

  • N/A
    

Problem summary

  • No additional information is available.
    

Problem conclusion

  • Use the public online documentation.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR64096

  • Reported component name

    BPM

  • Reported component ID

    5737A5700

  • Reported release

    860

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2021-08-24

  • Closed date

    2021-09-24

  • Last modified date

    2021-09-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM

  • Fixed component ID

    5737A5700

Applicable component levels

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS3PUM","label":"IBM Business Process Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6.0.0"}]

Document Information

Modified date:
25 September 2021