Fix Readme
Abstract
This readme is for IBM Business Automation Workflow on containers 25.0.0.0 interim fixes released periodically to resolve security vulnerabilities, as well as other defects. It includes information about the CASE package download, installation, and other information about interim fixes for the 25.0.0.0 release.
Content
| Readme file for | IBM Business Automation Workflow on containers |
|---|---|
| Product release | 25.0.0.0 |
| Publication date | 28 August 2025 |
Contents
Prerequisites and superseding fixes
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Prerequisites and superseding fixes
- To apply the interim fix you have to be at product version level 25.0.0.
- Each interim fix typically supersedes all other previous interim fixes shipped for 25.0.0.0, and compliments a simultaneously delivered interim fix for IBM Cloud Pak for Business Automation 25.0.0. Consult the following table for specific relationships.
- Business Automation Workflow on containers delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. These interim fixes include fixes for these libraries. Consult the superseded and related Cloud Pak for Business Automation 25.0.0 Readmes for specific information about vulnerabilities and other defects that have been addressed.
Business Automation Workflow on containers interim fixes
| Interim fix name | Superseded interim fix names | Business Automation Workflow on containers cert-kubernetes-baw package | CASE package | Complimentary Cloud Pak for Business Automation interim fix name | Released |
| 25.0.0.0 IF003 | See note (*) below | 25.0.0.0 IF003 | ibm-cp-automation-25.0.3.tgz | 25.0.0 IF003 | December 2025 |
| 25.0.0.0 IF002 | * Note: All previous interim fixes listed in this table | 25.0.0.0 IF002 | ibm-cp-automation-25.0.2.tgz | 25.0.0 IF002 | October 2025 |
| 25.0.0.0 IF001 | None | 25.0.0.0 IF001 | ibm-cp-automation-25.0.1.tgz | 25.0.0 IF001 | August 2025 |
This table is chronologically listed in reverse order, with more recent fixes listed at the top.
Components impacted
Before installation
a. Ensure you back up all databases associated with the environment.
b. Ensure your operators are in a healthy state before upgrading.
If one or more operators are failing, the system might be prevented from completing an upgrade. Check a few of the important custom resource (CR) statuses for failures and to ensure the statuses appear ready for the various installed components.
Check the status of the following CRs when they exist:
kubectl get icp4acluster -o yamlInstalling the interim fix
Two stages are involved in an update: 1. updating the operators, and 2. updating the images for the deployments and pods
After the operator is upgraded, rolling updates for all the pods the operator manages are triggered to ensure they are updated to the appropriate version that matches the operator. However there are some circumstances that can prevent this from occurring (see further details below)
To install the interim fix follow the general procedure described for Upgrading from 24.0.1.0 but use the supplemental information below that applies to the specific setup you have.
Updating the operators
For an online installation of the interim fix:
- Business Automation Workflow 25.0.0.0 interim fixes are released to the v25.1 operator channel.
- If your environment was installed with 24.0.1.0 IF002, has access to the IBM entitled registry, and has an automatic v24.1 channel subscription, enterprise installations are upgraded automatically. This upgrade usually occurs when the interim fix is released or when images are mirrored for air-gap setup. From 24.0.1.0 IF002 onwards a new, pinned catalogue source is introduced to prevent the risk of incompatible operator updates. Operators need to be updated to use the new catalog. In an online OCP installation the operator upgrade and pinned catalogue creation is taken care of for you when you run the upgradeOperator script as part of the instructions linked below.
- If your environment was installed at 24.0.1.0 IF002 level or later it will use the pinned catalog from the outset. This catalog needs to be updated with each subsequent interim fix update (via the upgradeOperator script).
Follow the procedure described for Upgrading from 24.0.1.0.
Note that there can be a delay before the operator is updated (e.g. the default refresh interval for the catalog source can cause a delay of up to 45 minutes).
For installing the interim fix in an air gapped/offline/private registry environment:
- Use the CASE package that is associated with the interim fix being applied. It is typically recommended that the latest interim fix be applied. To identify the appropriate CASE package, as well as links to obtain each package, see the table under Prerequisites and superseding fixes.
- Use the same method as you did for the initial setup to mirror the new catalogs or images to your offline registry, taking care to use the appropriate CASE package for the interim fix level you are updating to. For more information, see Mirroring images to the private registry.
If you have subscriptions set to manual, you must approve all the pending operator updates.
Important: Do not set subscriptions to manual because it can make the the upgrade more error prone if some of the many operator updates are not approved. By default all subscriptions are set to automatic.
Updating the deployments and pods
After the operators are updated, the update of the related deployments and pods are triggered by the newly updated operators to ensure the version matches the operator.
Important: Using individual image tag settings in your Business Automation Workflow CR file could prevent the operator from updating the images to the appropriate version. Ensure you remove these settings for a production installation and apply the modified CR as instructed in the linked upgrade instructions above.
Performing the necessary tasks after installation
Review the installation
Review the CR yaml status section and operator logs after the upgrade to ensure no failures prevented your pods from upgrading.
kubectl get icp4acluster -o yaml > CP4BAconfig.yaml
oc logs deployment/ibm-cp4a-operator -c operator > operator.logTo verify the expected image digest for a particular image, review the
ibm-cs-bawautomation\inventory\cp4aOperatorSdk\resources.yaml file in the CASE package. This file has a listing of the images managed by the Cloud Pak for Business Automation operator and their expected digest for this particular interim fix level.Uninstalling
There is no procedure to uninstall the interim fix.
List of fixes
The following Known Issues (APARs) are specific to Business Automation Workflow on containers. Depending on the components and capabilities you installed and configured, additional fix information might apply to you. See the "List of Fixes" in the readmes linked under Complimentary Cloud Pak for Business Automation interim fixes in the Prerequisites and superseding fixes section in this document. These readmes detail vulnerability fixes shipped with interim fixes for included operating system level and other open source libraries. The fixes below are also listed in those readmes, but they are also listed here as a convenience.
Fixes that involve security are indicated with an X mark.
Business Automation Workflow
25.0.0.0 IF003
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| N/A | X | In addition to updating many operating system level packages, as well as those listed in this table for which Known Issue have been opened, this IBM Business Automation Workflow container fix addresses the following vulnerabilities: CVE-2025-47912, CVE-2025-58183, CVE-2025-58185, CVE-2025-58186, CVE-2025-58187, CVE-2025-58188, CVE-2025-58189, CVE-2025-61723, CVE-2025-61724, CVE-2025-61725, CVE-2025-61727, CVE-2025-61729, CVE-2025-58056, CVE-2025-58057, CVE-2025-53066, CVE-2025-53057, CVE-2025-62727 For more details, visit the related Security Bulletin. | |
| DT446922 | X | CVE-2025-48976 - DoS vulnerability in commons-fileupload affects IBM Business Automation Workflow | |
| DT447031 | X | CVE-2025-36172 Cross-Site Scripting vulnerability in Case Client | |
| DT448632 | X | CVE-2025-48924 in Apache commons-lang may affect IBM Business Automation Workflow | |
| DT450355 | X | CVE-2025-41242 - Update Spring framework in Business Automation Workflow | |
| DT451477 | X | CVE-2025-58754 reported for axios-1.11.0 | |
| DT455668 | X | CVE-2025-57352 in min-document | |
| DT456229 | X | CVE-2025-13096 - XML Entity Expansion vulnerability in IBM Business Automation Workflow | |
| DT457061 | X | Server side Request Forgery affects IBM Business Automation Workflow and Cloud Pak for Business Automation | |
| DT445873 | - Load on IM pods spike when Process Admin Console user and group search is performed | ||
| DT450088 | After upgrading from ICM 5.3.3 to CP4BA , error message FNRCE0066E: E_UNEXPECTED_EXCEPTION: Failed to update case properties into PFS. : jms/TWClientConnectionFactory is seen | ||
| DT451052 | Process Instances cannot be deleted due to incorrect CAN_DELETE_INSTANCE value | ||
| DT453431 | Snapshot status not getting updated in Process Admin console | ||
| DT454846 | When updating an existing document to newer version(s) of the document having a different mime type, the mime type of the document always reflects the mime type of the first version | ||
| DT456476 | BatchUpdateExceptions are seen when indexing tasks which have been created by Business Automation Workflow 19.0.0.1 or older are not updated | ||
| DT455683 | When clicking on a ToDo task in the IBM Business Automation Workflow Case Client, the message Loading... appears but Task is not opened. Error in console: Uncaught TypeError: can't access property set, casePropController is undefined. | ||
| DT457050 | Process Inspector failure due to Jackson 20 MB String limit in execution tree | ||
| DT457084 | db-init-job failing due to permissions when attempting to migrate process instances on 24.0.1 | ||
| DT419413 | [DOC] The Content Object created for a re-use case property has a broken reference to the associated choice list in IBM Web Process Designer | ||
| DT436090 | - CWLLG2156W: The database connection pool size (200) of the Workflow Server data source might be too small tuning queue capacity and cm_max_pool_size (CP4BA) |
25.0.0.0 IF002
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT446350 | X | CVE-2025-7783 - form-data-4.0.0.tgz affects Process Admin Console | |
| DT447031 | X | CVE-2025-36172 Cross-Site Scripting vulnerability in Case Client | |
| DT447005 | Process instance migration API call /ops/std/bpm/containers/migrate_without_policyfile fails | ||
| DT447504 | When the current stage is the first stage, an attempt to restart a non-existent prior case stage results in a failure with error FNRCE0007E | ||
| DT448347 | tw.system.currentProcessInstance.parentCase.terminateActivities() API does not terminate failed workflow instances | ||
| DT449118 | When typeahead behavior is enabled in a single select view from the UI Toolkit, the view does not correctly handle the displaying of the clear button after it has been used once | ||
| DT450834 | Details of content object properties displayed incorrectly in process editor | ||
| DT451052 | Process Instances cannot be deleted due to incorrect CAN_DELETE_INSTANCE value | ||
| DT451296 | Saved Searches imported into Process Federation Server might get saved with incorrect value for OWNER |
25.0.0.0 IF001
| Known Issue | Security | Behavior change | Title |
|---|---|---|---|
| DT419489 | X | CVE-2024-38820, CVE-2025-22233 - Update Spring framework | |
| DT440290 | X | CVE-2025-48734 in commons-beanutils | |
| DT445908 | X | CVE-2025-27817, CVE-2025-27818 in kafka-clients-3.8.1.jar affecting event emitters | |
| DT446327 | X | CVE-2025-27817, CVE-2025-27818 in kafka-clients-3.8.1.jar may affect Case Event Emitters | |
| DT438377 | Cloud Pak for Business Automation zen_performance parameters not passed to WorkflowRuntime CR | ||
| DT439656 | Uncaught TypeError when processing documents retrieved through Enterprise Content Management Document List or File List view | ||
| DT439827 | Included Apache Johnzon classes might cause conflict with Java External Services | ||
| DT443418 | Clicking on a task link fails to open in a new tab and leads to an error: The requested page is not available. | ||
| DT443993 | Enterprise Content Management File Uploader does not allow selecting multiple files | ||
| DT444016 | MQ configuration needs to be applied manually before MQ services can be used | ||
| DT448169 | Case toolkit strings not translated | ||
| DT448172 | Modifying tasks using Assistant does not work when Workplace is Federated |
Document change history
- 18 December 2025: Updated with 25.0.0.0 IF003 details
- 31 October 2025: Updated with 25.0.0.0 IF002 details
- 28 August 2025: Initial publish.
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"25.0.0"}]
Was this topic helpful?
Document Information
Modified date:
01 February 2026
UID
ibm17238811