IBM Support

PJ45724: SECURITY APAR - CVE-2019-4426 - CASE BUILDER SERVLET DOESN'T SET THE CORRECT CONTENT TYPE AND PROPERLY ENCODE THE RESPONSE

Direct links to fixes

IBM Case Manager V5.3.3 Interim Fix 10 for Linux for Z
IBM Case Manager V5.3.3 Interim Fix 10 for Windows
IBM Case Manager V5.3.3 Interim Fix 10 for SUSE Linux
IBM Case Manager V5.3.3 Interim Fix 10 for Linux
IBM Case Manager V5.3.3 Interim Fix 10 for AIX
IBM Case Manager V5.3.3 Interim Fix 10 for Linux for Z
IBM Case Manager V5.3.3 Interim Fix 10 for Windows
IBM Case Manager V5.3.3 Interim Fix 10 for SUSE Linux
IBM Case Manager V5.3.3 Interim Fix 10 for Linux
IBM Case Manager V5.3.3 Interim Fix 10 for AIX
IBM Case Manager V5.3.3 Interim Fix 9 for Linux for Z
IBM Case Manager V5.3.3 Interim Fix 9 for Windows
IBM Case Manager V5.3.3 Interim Fix 9 for Linux
IBM Case Manager V5.3.3 Interim Fix 9 for AIX
IBM Case Manager V5.3.3 Interim Fix 8 for Windows
IBM Case Manager V5.3.3 Interim Fix 8 for Linux
IBM Case Manager V5.3.3 Interim Fix 8 for AIX
IBM Case Manager V5.3.3 Interim Fix 7 for Linux for Z
IBM Case Manager V5.3.3 Interim Fix 7 for Windows
IBM Case Manager V5.3.3 Interim Fix 7 for Linux
IBM Case Manager V5.3.3 Interim Fix 7 for AIX
IBM Case Manager V5.3.3 Interim Fix 6 for Linux
IBM Case Manager V5.3.3 Interim Fix 6 for AIX
IBM Case Manager V5.3.3 Interim Fix 6 for Windows
IBM Case Manager V5.3.3 Interim Fix 6 for Linux for Z
workflow.19003.delta.repository
8.6.10019001-WS-BPM-IFPJ45724
8.6.10019002-WS-BPM-IFPJ45724
IBM Case Manager V5.3.3 Interim Fix 5 for Linux for Z
IBM Case Manager V5.3.3 Interim Fix 5 for Windows
IBM Case Manager V5.3.3 Interim Fix 5 for Linux
IBM Case Manager V5.3.3 Interim Fix 5 for AIX

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Case Builder Servlet responds with JSON in the response body,
    but doesn't set the correct content type and properly encode the
     response.
    
    CVEID: CVE-2019-4426
    DESCRIPTION: Case Builder component shipped with IBM Business
    Automation Workflow and IBM Case Manager is vulnerable to
    cross-site scripting. This vulnerability allows users to embed
    arbitrary JavaScript code in the Web UI thus altering the
    intended functionality potentially leading to credentials
    disclosure within a trusted session.
    CVSS Base Score: 5.4
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/162772 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
    
    
    PRODUCTS AFFECTED
    IBM Business Automation Workflow
    IBM Case Manager
    

Local fix

  • N/A
    

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix that ensures a correct content type is returned for JSON
    from Case Buidler will be included in a future release of Case
    Manager V5.3.3 and Business Automation Workflow.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PJ45724

  • Reported component name

    CASE MGR CLIENT

  • Reported component ID

    5725A1501

  • Reported release

    533

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2019-06-27

  • Closed date

    2019-11-15

  • Last modified date

    2019-12-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    CASE MGR CLIENT

  • Fixed component ID

    5725A1501

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCTJ4","label":"Case Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"533","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
08 September 2022