Fix Readme
Abstract
This readme is for IBM Business Automation Workflow on containers 24.0.0.0 interim fixes released periodically to resolve security vulnerabilities, as well as other defects. It includes information about the CASE package download, installation, and other information about interim fixes for the 24.0.0.0 release.
Content
| Readme file for | IBM Business Automation Workflow on containers |
|---|---|
| Product release | 24.0.0.0 |
| Publication date | 2 August 2024 |
Contents
Prerequisites and superseding fixes
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Prerequisites and superseding fixes
- To apply the interim fix you have to be at product version level 24.0.0.0.
- Each interim fix typically supersedes all other previous interim fixes shipped for 24.0.0.0, and compliments a simultaneously delivered interim fix for IBM Cloud Pak for Business Automation 24.0.0. Consult the following table for specific relationships.
- Business Automation Workflow on containers delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. These interim fixes include fixes for these libraries. Consult the superseded and related Cloud Pak for Business Automation 24.0.0 Readmes for specific information about vulnerabilities and other defects that have been addressed.
Business Automation Workflow on containers interim fixes
| Interim fix name | Superseded interim fix names | CASE package | Complimentary Cloud Pak for Business Automation interim fix name | Released |
| 24.0.0.0 IF007 | See note (*) below | ibm-cs-bawautomation-2.7.7.tgz | 24.0.0 IF007 | October 2025 |
| 24.0.0.0 IF006 | See note (*) below | ibm-cs-bawautomation-2.7.6.tgz | 24.0.0 IF006 | July 2025 |
| 24.0.0.0 IF005 | See note (*) below | ibm-cs-bawautomation-2.7.5.tgz | 24.0.0 IF005 | May 2025 |
| 24.0.0.0 IF004 | See note (*) below | ibm-cs-bawautomation-2.7.4.tgz | 24.0.0 IF004 | February 2025 |
| 24.0.0.0 IF003 | See note (*) below | ibm-cs-bawautomation-2.7.3.tgz | 24.0.0 IF003 | October 2024 |
| 24.0.0.0 IF002 | * Note: All previous interim fixes listed in this table | ibm-cs-bawautomation-2.7.2.tgz | 24.0.0 IF002 | August 2024 |
| 24.0.0.0 IF001 | None | ibm-cs-bawautomation-2.7.1.tgz | 24.0.0 IF001 | July 2024 |
The previous table is chronologically listed in reverse order, with more recent fixes listed at the top.
Components impacted
Before installation
a. Ensure you back up all databases associated with the environment.
b. Ensure your operators are in a healthy state before upgrading.
If one or more operators are failing, the system might be prevented from completing an upgrade. Check a few of the important custom resource (CR) statuses for failures and to ensure the statuses appear ready for the various installed components.
Check the status of the following CRs when they exist:
oc get icp4acluster -o yamlInstalling the interim fix
Two stages are involved in an update: 1. updating the operators, and 2. updating the images for the deployments and pods.
After the operator is upgraded, rolling updates for all the pods the operator manages are triggered to ensure they are updated to the appropriate version that matches the operator. However there are some circumstances that can prevent this from occurring (see further details below).
To install the interim fix follow the general procedure described for Upgrading to 24.0.0.0 but use the supplemental information below that applies to the specific setup you have.
Updating the operators
For an online installation of the interim fix:
- Business Automation Workflow 24.0.0.0 interim fixes are released to the v24.0 operator channel.
- If your environment was installed before 24.0.0.0 IF005, has access to the IBM entitled registry, and has an automatic v24.0 channel subscription, enterprise installations are upgraded automatically. This upgrade usually occurs when the interim fix is released or when images are mirrored for air-gap setup. From 24.0.0.0 IF005 onwards a new, pinned catalogue source is introduced to prevent the risk of incompatible operator updates. Operators need to be updated to use the new catalog. In an online OCP installation the operator upgrade and pinned catalogue creation is taken care of for you when you run the upgradeOperator script as part of the instructions linked below.
- If your environment was installed at 24.0.0.0 IF005 level or later it will use the pinned catalog from the outset. This catalog needs to be updated with each subsequent interim fix update (via the upgradeOperator script).
Follow the procedure described for Upgrading to 24.0.0.0 with the following modifications:
- At step 3 follow the link to access the required archive file. For example, for 24.0.0.0 IF005 : 24.0.0-IF005.tar
- At step 4.c remove individual image tag settings in your Business Automation Workflow CR file.
Note that there can be a delay before the operator is updated (e.g. the default refresh interval for the catalog source can cause a delay of up to 45 minutes).
For installing the interim fix in an air gapped/offline/private registry environment:
- Use the CASE package that is associated with the interim fix being applied. It is typically recommended that the latest interim fix be applied. To identify the appropriate CASE package, as well as links to obtain each package, see the table under Prerequisites and superseding fixes.
- Use the same method as you did for the initial setup to mirror the new catalogs or images to your offline registry, taking care to use the appropriate CASE package for the interim fix level you are updating to. For more information, see Mirroring images to the private registry.
If you have subscriptions set to manual, you must approve all the pending operator updates.
Important: Do not set subscriptions to manual because it can make the the upgrade more error prone if some of the many operator updates are not approved. By default all subscriptions are set to automatic.
Updating the deployments and pods
After the operators are updated, the update of the related deployments and pods are triggered by the newly updated operators to ensure the version matches the operator.
Important: Using individual image tag settings in your Business Automation Workflow CR file could prevent the operator from updating the images to the appropriate version. Ensure you remove these settings for a production installation and apply the modified CR as instructed in the linked upgrade instructions above.
Performing the necessary tasks after installation
Review the installation
Review the CR yaml status section and operator logs after the upgrade to ensure no failures prevented your pods from upgrading.
oc get icp4acluster -o yaml > CP4BAconfig.yaml
oc logs deployment/ibm-cp4a-operator -c operator > operator.logTo verify the expected image digest for a particular image, review the
ibm-cs-bawautomation\inventory\cp4aOperatorSdk\resources.yaml file in the CASE package. This file has a listing of the images managed by the Cloud Pak for Business Automation operator and their expected digest for this particular interim fix level.Uninstalling
There is no procedure to uninstall the interim fix.
List of fixes
The following Known Issues (APARs) are specific to Business Automation Workflow on containers. Depending on the components and capabilities you installed and configured, additional fix information might apply to you. See the "List of Fixes" in the readmes linked under Complimentary Cloud Pak for Business Automation interim fixes in the Prerequisites and superseding fixes section in this document. These readmes detail vulnerability fixes shipped with interim fixes for included operating system level and other open source libraries. The fixes below are also listed in those readmes, but they are also listed here as a convenience.
Fixes that involve security are indicated with an X mark.
Business Automation Workflow
24.0.0.0 IF007
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT443492 | X | Cross-Site scripting via Unauthenticated Endpoint - IBM Process Federation Server | |
| DT445908 | X | CVE-2025-27817, CVE-2025-27818 in kafka-clients-3.8.1.jar affecting event | |
| DT446350 | X | CVE-2025-7783 - form-data-4.0.0.tgz affects Process Admin Console | |
| DT446595 | X | Security vulnerability (CVE-2025-7783) in form-data-4.0.0.tgz affects Workflow centre and Process Designer | |
| DT447031 | X | CVE-2025-36172 Cross-Site Scripting vulnerability in Case Client | |
| DT393473 | Navigator Business Automation Workflow desktop is not fully accessible due to user permission error | ||
| DT422724 | Process Admin Console Group Management member list does not show user display names | ||
| DT435499 | Coach UI is not displayed correctly in Workflow server after snapshot deployment | ||
| DT438061 | Quick Task Assignment Disposal Policy throws error: | ||
| DT439845 | Lack of security or owner on Quick Task Attachment Collection class leads to Quick Task Attachment Collection Disposal Policy throwing error E_ACCESS_DENIED | ||
| DT446772 | Process instance status can end in status completed even if the end node is a terminate one if there is a subprocess marked as reusable | ||
| DT447017 | Case Activity fails to complete due to DB deadlock | ||
| DT447504 | Restarting previous case stage operation fails with FNRCE0007E when no prior stage exists in BAW | ||
| DT448347 | tw.system.currentProcessInstance.parentCase.terminateActivities() API does not terminate failed workflow instances | ||
| DT448726 | Data mappings of an activity in a service flow might not be shown | ||
| DT450303 | Uninitialized complex type business object variables cannot be updated in Process Inspector | ||
| DT451052 | Process Instances cannot be deleted due to incorrect CAN_DELETE_INSTANCE value | ||
| DT451296 | Saved Searches imported into Process Federation Server might get saved with incorrect value for OWNER | ||
| DT453431 | Snapshot status not getting updated in Process Admin console |
24.0.0.0 IF006
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT419489 | X | CVE-2024-38820, CVE-2025-22233 - Update Spring framework | |
| DT426117 | X | Update cometD library to 5.0.21 | |
| DT439593 | X | Security vulnerability cross-site scripting | |
| DT439782 | X | Multiple security vulnerabilities affect swagger-ui | |
| DT440290 | X | CVE-2025-48734 in commons-beanutils | |
| DT446327 | X | CVE-2025-27817, CVE-2025-27818 in kafka-clients-3.8.1.jar may affect Case Event Emitters | |
| DT398711 | When restating an Openshift Cluster you may see the Workflow pods get into a Init:CrashLoopBackOff state with a permissions error - Cloud Pak for Business Automation | ||
| DT434513 | Searching processes in Process Portal results in ''org.apache.lucene.search.BooleanQuery$TooManyClauses: maxClauseCount is set to 1024'' error | ||
| DT437586 | When using the Processes dashboard and clicking on a process instance, details from another instance are displayed | ||
| DT437853 | User may observe slow performance when server starts after upgrading to Business Automation Workflow 23.0.2 or a later version | ||
| DT438377 | Cloud Pak for Business Automation zen_performance parameters not passed to WorkflowRuntime CR | ||
| DT440081 | The REST API /ops/std/bpm/processes/count throws an exception when the process_ids parameter includes an instance id greater than 2147483647 | ||
| DT442637 | Administration service is unable to be opened due to /teamworks/process.lsw being cached unexpectedly | ||
| DT442676 | TWObject de-serialization exception stops process instances that use nested heritage human services after migration to IBM Business Automation Workflow 24.0.0.0 | ||
| DT443418 | Clicking on a task link fails to open in a new tab and leads to an error: The requested page is not available. |
24.0.0.0 IF005
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT417496 | X | CVE-2024-31141 in kafka-clients reported for bai-events-java-sdk | |
| DT433330 | X | Security vulnerabilities CVE-2024-57965, CVE-2025-27152 and CVE-2025-27789 affect Process Admin Console | |
| DT395245 | Unable to upload file using BPM document list control after installing the DT213423 & DT380377 fixes | ||
| DT399826 | IBM License Service shows warnings for missing pod annotation productMetric | ||
| DT422946 | Event Manager tasks are slow to execute and at times, and never complete after upgrading to BAW V24.0.0 | ||
| DT423276 | Unable to search Task in the Process Portal Work Dashboard | ||
| DT423451 | The BPM document list component can upload the same file multiple times | ||
| DT425681 | Even though monitoring for Workflow is enabled there are no prometheus events | ||
| DT426664 | Business Automation Workflow pod repeatedly restarting after applying Interim fix 4 for 24.0.0 | ||
| DT433874 | Blank editor property sheets after renaming an activity | ||
| DT435315 | You may notice a performance issue related to memory usage when load testing includes heritage human services that do not reach an end event |
24.0.0.0 IF004
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT395401 | X | SECURITY - CVE-2024-38808 IN SPRING EXPRESSIONS | |
| DT397840 | X | CVE-2024-22262, CVE-2024-38809 in Spring Framework IBM Business Automation Workflow | |
| DT398089 | X | CVE-2024-49348 Prevent Reassignment of Comment Tasks | |
| DT398149 | X | Updating jjwt-api to 0.12.6 | |
| DT398542 | X | Security - CVE-2024-47554 in Apache commons-io may affect BPM Event emitters | |
| DT398749 | X | DBACLD-154421 - DT398749 - CVE-2024-47554 in commons-io | |
| DT416868 | X | CVE-2024-21538 in cross-spawn-5.1.0.tgz affects Process Admin Console | |
| DT418808 | X | Security vulnerability CVE-2024-47175 impacts with version 24.0.0.0 interim fix 003 | |
| DT418809 | X | Security vulnerability CVE-2024-29857 impacts with version 24.0.0.0 interim fix 003 | |
| DT400225 | X | CVE-2024-47554 in Apache commons-io may affect Case Event emitters | |
| DT387108 | Navigation to the last page fails with a NullPointerException when sorting by any business property that includes null values, causing the browser to become unresponsive | ||
| DT389490 | Case client in-basket tabs are rendered incorrectly | ||
| DT390087 | There is Case Swagger API version mismatch in the latest build | ||
| DT390215 | Unable to add new filters to saved searches in Process Portal | ||
| DT391193 | '[property name] does not resolve to an existing business object property' validation error may appear on the process app or toolkit | ||
| DT394400 | The ''Go to a specified URL'' in End event does work as expected after upgrade to 23.0.2 | ||
| DT394730 | Unable to load error when editing decision tables | ||
| DT396882 | The reloadTask BPM REST API incorrectly includes null properties in the response data | ||
| DT397283 | The 'Select the first document in the list by default' feature in the case details page fails to load the right click options for the first document in case page | ||
| DT398147 | The work In-basket menu options do not appear when right-clicking on a work item in BAW desktop when using legacy case solution | ||
| DT398438 | You encounter an internal server error when you try to edit the server configuration in IBM Business Automation Workflow (BAW) Process Admin Console->Installed Apps->App Details->Servers page | ||
| DT398663 | [DT398663 ] Deployed Classic Case Builder Solution in 23.0.2 appears as not deployed at every reload of the browser - Cloud Pak for Business Automation | ||
| DT399826 | IBM License Service not working caused by missing annotation productMetric in Pod's description | ||
| DT400000 | Cannot save audit manifest with Activity properties with error: java.lang.RuntimeException: The key [isBusinessObject] was not in the map | ||
| DT400076 | Case client displays an intermittent error when switching roles: Expecting { on line 1, column 4 instead, obtained token: Token: Number - 403 | ||
| DT400142 | Default values in service flow might not be used after upgrading to IBM Business Automation Workflow V24.0.0 | ||
| DT416464 | When invoking an external Web service, the request might be serialized using incorrect namespace leading during issues in the Web service | ||
| DT419081 | Cloud Pak for Business Automation operator fails to add https or port for a embedded Process Federation Server | ||
| DT419248 | You see error in case activities Client-side Human Service view, FNRPA0556E The deployed task type info object for the {GUID} task type was not found after solution deployment. | ||
| DT419609 | Default Data Label Autocompletion Service called by Processes dashboard causes high CPU usage |
24.0.0.0 IF003
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT395404 | X | CVE-2024-39338 in axios affects Process Admin Console | |
| DT396474 | X | CVE-2024-45296 in path-to-regexp affects IBM Business Automation Workflow | |
| DT393042 | THE START TIME AND END TIME MAY BE CONVERTED INCORRECTLY WHEN YOU CREATE A DATE/TIME RANGE PERIOD IN THE BLACKOUT PERIODS PAGE IN THE PROCESS ADMIN CONSOLE | ||
| DT399834 | The Workflow Operator get stuck when a Business Automation Workflow instance does not have case configured | ||
| DT399918 | Using baw_configuration[x].liberty_custom_xml to customize the Business Automation Workflow Runtime Liberty server fails | ||
| DT400133 | workflow-runtime-operator pod crashes if CASE custom_package_names is set |
24.0.0.0 IF002
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT365505 | X | CVE-2023-4218 - org.eclipse.core.runtime | |
| DT392892 | NUMERIC VARIABLES NOT PASSED WITH CORRECT TYPE TO CLIENT-SIDE HUMAN SERVICES WHEN USING NEW DATA MAPPING MODE |
24.0.0.0 IF001
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT386834 | X | CVE-2023-33008 in Apache Johnzon affects BAStudio and Workflow Authoring | |
| DT383336 | Case client generates CDEWG3401 The following view definition cannot be found: CaseSearchView error | ||
| DT389442 | YOU ENCOUNTER AN ERROR IF THE EVENT SUBSCRIPTIONS ARE EMPTY WHEN YOU OPEN THE EVENT SUBSCRIPTIONS TAB IN PROCESS ADMIN CONSOLE->INSTALLED APPS->APP DETAILS PAGE | ||
| DT390318 | The db-init job will constantly be recreated if the job takes too long to complete | ||
| DT391336 | THE PROCESS ADMIN CONSOLE->PERFORMANCE->MONITORING PAGE DOES NOT WORK WHEN YOU SELECT A NONE ENGLISH LOCALE | ||
| DT391898 | THE PROCESSES FROM OLDER VERSIONS OF BUSINESS AUTOMATION WORKFLOW ARE NOT SHOWING UP IN THE IN-BASKET AFTER UPGRADING TO V24.0.0.0 | ||
| DT393473 | Navigator Business Automation Workflow desktop is not fully accessible due to user permission error |
Document change history
- 31 October 2025: Updated with 24.0.0.0 IF007 details
- 31 July 2025: Updated with 24.0.0.0 IF006 details
- 30 May 2025: Added DT387108 and DT400076 to 24.0.0.0 IF004 fix list.
- 5 May 2025: Revised install instructions to resemble instructions provided for Business Automation Workflow on containers 24.0.1.0.
- 1 May 2025: Updated with 24.0.0.0 IF005 details
- 7 February 2025: Updated with 24.0.0.0 IF004 details
- 28 October 2024: Updated with 24.0.0.0 IF003 details
- 30 August 2024: Updated with 24.0.0.0 IF002 details
- 2 August 2024: Initial publish.
[{"Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
10 November 2025
UID
ibm17159792