IBM13A0462F9F445C19ADDDE9543FCB9CCA463DCD1421963FA8AB5CC16559B16BBDSecurity Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885)
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
46.8%
Summary
A vulnerability in IBM Business Space can allow an attacker to cause an external service invocation.
Vulnerability Details
CVEID: CVE-2018-1885
DESCRIPTION: IBM Business Space could allow an unauthenticated attacker to obtain sensitve information using a specially cracted HTTP request.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152020> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03
- IBM Business Process Manager Enterprise Service Bus V8.6
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2
- IBM Business Process Manager V8.5.5.0
- IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- WebSphere Enterprise Service Bus V7.0.0.0 through V7.5.1.2
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60524 as soon as practical:
- IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03)
- IBM Business Process Manager Advanced
- IBM Business Process Manager Standard
- IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
· Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix JR60524
--OR–
· Apply cumulative fix Business Automation Workflow V19.0.0.1
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to at least IBM BPM 8.6.0.0 CF 2018.03 as required by iFix and then apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply C F2 and then apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.5.0
· Apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For products in extended support:
- IBM Business Process Manager V7.5.0.0 through V8.0.1.3
· Migrate to Business Automation Workflow V19.0.0.1
- IBM Websphere Enterprise Service Bus V7.0 through V7.5.1.2
· Migrate to IBM Business Process Manager Enterprise Service Bus V8.6
--OR–
· Contact IBM support to obtain and then apply iFix JR60524
Workarounds and Mitigations
None
Affected configurations
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
46.8%