IBM Support

Security Bulletin: Multiple vulnerabilities may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) offline documentation

Security Bulletin


Summary

IBM Business Process Manager and IBM Business Automation Workflow offline documentation packages open source libraries with known vulnerabilities. Do not install offline documentation and remove existing installations with the fix provided below.

Vulnerability Details

CVEID:   CVE-2021-23358
DESCRIPTION:   Node.js underscore module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the template function. By sending a specially-crafted argument using the variable property, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198958 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2018-3824
DESCRIPTION:   Elastic X-Pack Machine Learning is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150286 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2019-7611
DESCRIPTION:   Elastic Elasticsearch could allow a remote authenticated attacker to gain elevated privileges on the system, caused by an improper permission issue. By sending a specially-crafted request, an attacker could exploit this vulnerability to gain privileges.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159335 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2021-29425
DESCRIPTION:   Apache Commons IO could allow a remote attacker to traverse directories on the system, caused by improper input validation by the FileNameUtils.normalize method. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199852 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:   CVE-2020-7021
DESCRIPTION:   Elasticsearch could allow a local authenticated attacker to obtain sensitive information, caused by an error when audit logging and the emit_request_body option is enabled. By opening the audit log, a local authenticated attacker could obtain password hashes or authentication tokens and use this information to launch further attacks against the affected system.
CVSS Base score: 1.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196943 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2018-3823
DESCRIPTION:   Elastic X-Pack Machine Learning is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/150287 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:   CVE-2020-7020
DESCRIPTION:   Elastic Enterprise Search could allow a remote authenticated attacker to obtain sensitive information, caused by not properly preserving security permissions in search queries. By sending a search request, a remote attacker could exploit this vulnerability to disclose the existence of documents.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190409 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2020-8908
DESCRIPTION:   Guava could allow a remote authenticated attacker to bypass security restrictions, caused by a temp directory creation vulnerability in com.google.common.io.Files.createTempDir(). By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192996 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Business Automation WorkflowV21.0
V20.0
V19.0
V18.0
IBM Business Process ManagerV8.6


For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64096 as soon as practical:

For IBM Business Automation Workflow V18.0, V19.0, and V20.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR64096
--OR--
· Apply cumulative fix Business Automation Workflow V21.0.3 or later

For IBM Business Process Manager V8.6
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR64096
--OR--
· Upgrade to Business Automation Workflow V21.0.3 or later

The fix removes offline documentation (if installed) as described in 

· Downloadable content for IBM Business Process Manager (BPM) documentation (Knowledge Center)
· Downloadable content for IBM Business Automation Workflow documentation (Knowledge Center)

Workarounds and Mitigations

Do not install offline documentation, but access online documentation instead. For more information on offline documentation, see https://www.ibm.com/docs/en/baw/20.x?topic=overview-deprecated-accessing-documentation-offline

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

Change History

28 Sep 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2, 19.0.0.3,20.0.0.1, 20.0.0.2,21.0.2","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.6","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
28 September 2021

UID

ibm16493267