Fix Readme
Abstract
This readme is for IBM Business Automation Workflow on containers 24.0.1.0 interim fixes released periodically to resolve security vulnerabilities, as well as other defects. It includes information about the CASE package download, installation, and other information about interim fixes for the 24.0.1.0 release.
Content
| Readme file for | IBM Business Automation Workflow on containers |
|---|---|
| Product release | 24.0.1.0 |
| Publication date | 28 February 2025 |
Contents
Prerequisites and superseding fixes
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Prerequisites and superseding fixes
- To apply the interim fix you have to be at product version level 24.0.1.
- Each interim fix typically supersedes all other previous interim fixes shipped for 24.0.1.0, and compliments a simultaneously delivered interim fix for IBM Cloud Pak for Business Automation 24.0.1. Consult the following table for specific relationships.
- Business Automation Workflow on containers delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. These interim fixes include fixes for these libraries. Consult the superseded and related Cloud Pak for Business Automation 24.0.1 Readmes for specific information about vulnerabilities and other defects that have been addressed.
Business Automation Workflow on containers interim fixes
| Interim fix name | Superseded interim fix names | CASE package | Complimentary Cloud Pak for Business Automation interim fix name | Released |
| 24.0.1.0 IF006 | See note (*) below | ibm-cs-bawautomation-2.8.6.tgz | 24.0.1 IF006 | December 2025 |
| 24.0.1.0 IF005 | See note (*) below | ibm-cs-bawautomation-2.8.5.tgz | 24.0.1 IF005 | September 2025 |
| 24.0.1.0 IF004 | See note (*) below | ibm-cs-bawautomation-2.8.4.tgz | 24.0.1 IF004 | July 2025 |
| 24.0.1.0 IF002 | * Note: All previous interim fixes listed in this table | ibm-cs-bawautomation-2.8.2.tgz | 24.0.1 IF002 | April 2025 |
| 24.0.1.0 IF001 | None | ibm-cs-bawautomation-2.8.1.tgz | 24.0.1 IF001 | February 2025 |
This table is chronologically listed in reverse order, with more recent fixes listed at the top.
Components impacted
Before installation
a. Ensure you back up all databases associated with the environment.
b. Ensure your operators are in a healthy state before upgrading.
If one or more operators are failing, the system might be prevented from completing an upgrade. Check a few of the important custom resource (CR) statuses for failures and to ensure the statuses appear ready for the various installed components.
Check the status of the following CRs when they exist:
oc get icp4acluster -o yamlInstalling the interim fix
Two stages are involved in an update: 1. updating the operators, and 2. updating the images for the deployments and pods
After the operator is upgraded, rolling updates for all the pods the operator manages are triggered to ensure they are updated to the appropriate version that matches the operator. However there are some circumstances that can prevent this from occurring (see further details below)
To install the interim fix follow the general procedure described for Upgrading to 24.0.1.0 but use the supplemental information below that applies to the specific setup you have.
Updating the operators
For an online installation of the interim fix:
- Business Automation Workflow 24.0.1.0 interim fixes are released to the v24.1 operator channel.
- If your environment was installed before 24.0.1.0 IF002, has access to the IBM entitled registry, and has an automatic v24.1 channel subscription, enterprise installations are upgraded automatically. This upgrade usually occurs when the interim fix is released or when images are mirrored for air-gap setup. From 24.0.1.0 IF002 onwards a new, pinned catalogue source is introduced to prevent the risk of incompatible operator updates. Operators need to be updated to use the new catalog. In an online OCP installation the operator upgrade and pinned catalogue creation is taken care of for you when you run the upgradeOperator script as part of the instructions linked below.
- If your environment was installed at 24.0.1.0 IF002 level or later it will use the pinned catalog from the outset. This catalog needs to be updated with each subsequent interim fix update (via the upgradeOperator script).
Follow the procedure described for Upgrading to 24.0.1.0 with the following modifications:
- At step 3 follow the link to access the required archive file. For example, for 24.0.1.0 IF002 : 24.0.1.2.tar
- At step 4.c remove individual image tag settings in your Business Automation Workflow CR file.
Note that there can be a delay before the operator is updated (e.g. the default refresh interval for the catalog source can cause a delay of up to 45 minutes).
For installing the interim fix in an air gapped/offline/private registry environment:
- Use the CASE package that is associated with the interim fix being applied. It is typically recommended that the latest interim fix be applied. To identify the appropriate CASE package, as well as links to obtain each package, see the table under Prerequisites and superseding fixes.
- Use the same method as you did for the initial setup to mirror the new catalogs or images to your offline registry, taking care to use the appropriate CASE package for the interim fix level you are updating to. For more information, see Mirroring images to the private registry.
If you have subscriptions set to manual, you must approve all the pending operator updates.
Important: Do not set subscriptions to manual because it can make the the upgrade more error prone if some of the many operator updates are not approved. By default all subscriptions are set to automatic.
Updating the deployments and pods
After the operators are updated, the update of the related deployments and pods are triggered by the newly updated operators to ensure the version matches the operator.
Important: Using individual image tag settings in your Business Automation Workflow CR file could prevent the operator from updating the images to the appropriate version. Ensure you remove these settings for a production installation and apply the modified CR as instructed in the linked upgrade instructions above.
Performing the necessary tasks after installation
Review the installation
Review the CR yaml status section and operator logs after the upgrade to ensure no failures prevented your pods from upgrading.
oc get icp4acluster -o yaml > CP4BAconfig.yaml
oc logs deployment/ibm-cp4a-operator -c operator > operator.logTo verify the expected image digest for a particular image, review the
ibm-cs-bawautomation\inventory\cp4aOperatorSdk\resources.yaml file in the CASE package. This file has a listing of the images managed by the Cloud Pak for Business Automation operator and their expected digest for this particular interim fix level.Uninstalling
There is no procedure to uninstall the interim fix.
List of fixes
The following Known Issues (APARs) are specific to Business Automation Workflow on containers. Depending on the components and capabilities you installed and configured, additional fix information might apply to you. See the "List of Fixes" in the readmes linked under Complimentary Cloud Pak for Business Automation interim fixes in the Prerequisites and superseding fixes section in this document. These readmes detail vulnerability fixes shipped with interim fixes for included operating system level and other open source libraries. The fixes below are also listed in those readmes, but they are also listed here as a convenience.
Fixes that involve security are indicated with an X mark.
Business Automation Workflow
24.0.1.0 IF006
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| N/A | X | In addition to updating many operating system level packages, as well as those listed in this table for which Known Issue have been opened, this IBM Business Automation Workflow container fix addresses the following vulnerabilities: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61727, CVE-2025-61729, CVE-2025-58056, CVE-2025-58057, CVE-2025-53066, CVE-2025-53057, CVE-2025-62727 For more details, visit the related Security Bulletin. | |
| DT440290 | X | CVE-2025-48734 in commons-beanutils | |
| DT446922 | X | CVE-2025-48976 - DoS vulnerability in commons-fileupload affects IBM Business Automation Workflow | |
| DT447031 | X | CVE-2025-36172 Cross-Site Scripting vulnerability in Case Client | |
| DT446350 | X | CVE-2025-7783 - form-data-4.0.0.tgz affects Process Admin Console | |
| DT448632 | X | CVE-2025-48924 in Apache commons-lang may affect IBM Business Automation Workflow | |
| DT450355 | X | CVE-2025-41242 - Update Spring framework in Business Automation Workflow | |
| DT451477 | X | Security - CVE-2025-58754 reported for axios-1.11.0 | |
| DT450856 | X | CVE-2025-22868 - golang.org/x/oauth2-v0.12.0 | |
| DT455668 | X | CVE-2025-57352 in min-document | |
| DT456229 | X | CVE-2025-13096 - XML Entity Expansion vulnerability in IBM Business Automation Workflow | |
| DT457061 | X | Server side Request Forgery affects IBM Business Automation Workflow and Cloud Pak for Business Automation | |
| DT454003 | Optimized Persistent Object cache using the soft reference is now disabled by default. | Persistent Object cache optimization is enabled by default in versions prior to 25.0.0.0 | |
| DT439845 | Lack of security or owner on Quick Task Attachment Collection class leads to Quick Task Attachment Collection Disposal Policy throwing error E_ACCESS_DENIED | ||
| DT443993 | Enterprise Content Management File Uploader does not allow selecting multiple files | ||
| DT443567 | Error in logs when loading portal components 'Caused by: java.lang.IndexOutOfBoundsException: No group 3' | ||
| DT447005 | Process instance migration API call /ops/std/bpm/containers/migrate_without_policyfile fails | ||
| DT447504 | When the current stage is the first stage, an attempt to restart a non-existent prior case stage results in a failure with error FNRCE0007E | ||
| DT449006 | Unable to copy/Paste text or select hyperlinks when using Rich Text Editor in read-only Mode | ||
| DT448347 | tw.system.currentProcessInstance.parentCase.terminateActivities() API does not terminate failed workflow instances | ||
| DT448726 | Data mappings of an activity in a service flow might not be shown | ||
| DT450150 | Business Automation Workflow static files not being cached when Case Client desktop is loaded | ||
| DT450286 | Multiple content objects for the same parent case may be created for a Case solution | ||
| DT451768 | Business Automation Workflow JMS pod liveness probe returning 500 error | ||
| DT450835 | UCA processing leads to error : com.lombardisoftware.core.TeamWorksException: Type mismatch. Expected 'tw.object.BOName[]' type, but found 'tw.object.BOName[]' | ||
| DT451922 | After upgrading to IBM Business Automation Workflow 24.0.1 Integer and Decimal views are unexpectedly right aligned | ||
| DT451052 | Process Instances cannot be deleted due to incorrect CAN_DELETE_INSTANCE value | ||
| DT451296 | Saved Searches imported into Process Federation Server might get saved with incorrect value for OWNER | ||
| DT452329 | The execution duration in Event Manager task history can be a negative value for short duration tasks | ||
| DT452348 | Some fields are unexpectedly highlighted as having an error in process portal tasks after upgrade to IBM Business Automation Workflow 24.0.1.0 | ||
| DT453198 | In nested expandable tables, the chevron points in wrong direction | ||
| DT454434 | Overlapping exposing items text in Process Admin Console | ||
| DT453431 | Snapshot status not getting updated in Process Admin console | ||
| DT454461 | bpm-dtp-date-active-color property not picked up from theme in Date/time picker view | ||
| DT454846 | When updating an existing document to newer version(s) of the document having a different mime type, the mime type of the document always reflects the mime type of the first version | ||
| DT454846 | When updating an existing document to newer version(s) of the document having a different mime type, the mime type of the document always reflects the mime type of the first version | ||
| DT454906 | When managing EPVs in the Process Admin Console, a full refresh of the browser is required for changes to take effect when updating variables | ||
| DT456476 | BatchUpdateExceptions are seen when indexing tasks which have been created by Business Automation Workflow 19.0.0.1 or older are not updated | ||
| DT455683 | When clicking on a ToDo task in the IBM Business Automation Workflow Case Client, the message Loading... appears but Task is not opened. Error in console: Uncaught TypeError: can't access property set, casePropController is undefined. | ||
| DT457084 | db-init-job failing due to permissions when attempting to migrate process instances on 24.0.1 | ||
| DT457658 | MSSQL: ProgrammaticTransactionSupport incorrectly retries transactions on SQLSTATE S0001 for BadSqlGrammarException causing EM job failure in IBM Business Automation Workflow | ||
| DT435499 | Coach UI is not displayed correctly in Workflow server after snapshot deployment | ||
| DT422724 | Process Admin Console Group Management member list does not show user display names | ||
| DT419413 | [DOC] The Content Object created for a re-use case property has a broken reference to the associated choice list in IBM Web Process Designer | ||
| DT436090 | CWLLG2156W: The database connection pool size (200) of the Workflow Server data source might be too small tuning queue capacity and cm_max_pool_size (CP4BA) |
24.0.1.0 IF005
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT419489 | X | CVE-2024-38820, CVE-2025-22233 - Update Spring framework in Business Automation Workflow | |
| DT426117 | X | Update cometD library to 5.0.21 | |
| DT440290 | X | CVE-2025-48734 in commons-beanutils | |
| DT445908 | X | CVE-2025-27817, CVE-2025-27818 in kafka-clients-3.8.1.jar affecting event emitters | |
| DT446327 | X | [BAW-CaseEmitters] CVE-2025-27817, CVE-2025-27818 in kafka-clients-3.8.1.jar reported for Case Emitters | |
| DT446350 | X | CVE-2025-7783 - form-data-4.0.0.tgz affects Process Admin Console | |
| DT447031 | X | CVE-2025-36172 Cross-Site Scripting vulnerability in Case Client | |
| DT437853 | User may observe slow performance when server starts after upgrading to BAW 23.0.2 or a later version | ||
| DT438377 | Cloud Pak for Business Automation zen_performance parameters not passed to WorkflowRuntime CR | ||
| DT447005 | Process instance migration API call /ops/std/bpm/containers/migrate_without_policyfile fails | ||
| DT447504 | When the current stage is the first stage, an attempt to restart a non-existent prior case stage results in a failure with error FNRCE0007E | ||
| DT448066 | Locale initialization issues in Business Automation Workflow 24.0.1 cause incorrect language while using Date time picker- IBM Business Automation Workflow | ||
| DT448347 | tw.system.currentProcessInstance.parentCase.terminateActivities() API does not terminate failed workflow instances |
24.0.1.0 IF004
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT439593 | X | Security vulnerability cross-site scripting | |
| DT439782 | X | Multiple security vulnerabilities affect swagger-ui | |
| DT398711 | When restating an Openshift Cluster you may see the Workflow pods get into a Init:CrashLoopBackOff state with a permissions error - Cloud Pak for Business Automation | ||
| DT435617 | Slowness in Case REST /bawtasks API call | ||
| DT436471 | Server Type Not Visible in Admin Console When Configured via Desktop Designer | ||
| DT436615 | You notice that the Single select view from the UI toolkit shows the placeholder text or blank value within the selection popup | ||
| DT439827 | Included Apache Johnzon classes might cause conflicts with Java External Services |
24.0.1.0 IF002
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT417496 | X | CVE-2024-31141 in kafka-clients reported for bai-events-java-sdk | |
| DT424716 | X | Security vulnerability CVE-2025-1495 lack of authorization validation affects Workflow Center and Business Automation Studio | |
| DT425691 | X | Security vulnerability CVE-2025-1838 affects IBM Workflow Center and IBM Business Automation Studio | |
| DT433330 | X | Security vulnerabilities CVE-2024-57965, CVE-2025-27152 and CVE-2025-27789 affect Process Admin Console | |
| DT395245 | Unable to upload file using BPM document list control after installing the DT213423 & DT380377 fixes | ||
| DT419248 | You see error in case activities cshs view, FNRPA0556E The deployed task type info object for the {GUID} task type was not found after solution deployment. | ||
| DT423276 | Unable to search Task in the Process Portal Work Dashboard | ||
| DT423451 | The BPM document list component can upload the same file multiple times | ||
| DT425091 | The Process Admin Console displays the html encoded text of the Exposed Process Variable's external description | ||
| DT425611 | Pages in Case Client are carrying over across roles | ||
| DT425681 | Even though monitoring for Workflow is enabled there are no prometheus events | ||
| DT425711 | Workflow pods are slow or fail to startup due to the IBM_BPM_Portal application - Cloud Pak for Business Automation | ||
| DT426664 | Business Automation Workflow pod repeatedly restarting after applying Interim fix 4 for 24.0.0 | ||
| DT431851 | baw-db-init pod is going into 'CrashLoopBackOff' while moving inflight process instances from traditional Business Automation Workflow 24.0.1.0 to Cloud Pak for Business Automation 24.0.1 | ||
| DT433874 | Blank editor property sheets after renaming an activity | ||
| DT434439 | The Case REST API ''/writableappspaces/{appspace}/roles/{role}/member'' has a 1k limit for the number of returned users. | ||
| DT434695 | Saved search acceleration tools table column size limitation of 128 chars impacts IBM Business Automation Workflow Case dynamic filters |
24.0.1.0 IF001
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT416464 | When invoking an external Web service, the request might be serialized using an incorrect namespace in service implementation | ||
| DT419081 | Cloud Pak for Business Automation operator fails to add https or port for a embedded Process Federation Server | ||
| DT422768 | In IBM Business Automation Workflow 24.0.0, you may see a com.fasterxml.jackson.core.exc.StreamConstraintsException when calling a REST API with a String variable greater than 20 million bytes | ||
| DT423206 | LDAP groups can't be found when searching group while editing collaborators when sc_restricted_internet_access: true is set | ||
| DT423710 | BPMUpdateSystemApp command fails when starting Deployment Manager for the first time after upgrading to 24.0.1 |
Document change history
- 18 December 2025: Updated with 24.0.1.0 IF006 details
- 26 September 2025: Updated with 24.0.1.0 IF005 details
- 1 July 2025: Updated with 24.0.1.0 IF004 details
- 1 May 2025: Updated with 24.0.1.0 IF002 details
- 28 February 2025: Initial publish.
[{"Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
03 February 2026
UID
ibm17183042