IBM2955FD677307C59BC4E381D8CA0275D629803259C2176CE4E845D6B42BA2E178Security Bulletin: Security vulnerabilities in Dojo and jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.035 Low
EPSS
Percentile
91.5%
Summary
Security vulnerabilities have been reported for Dojo and jQuery version shipped with IBM Business Automation Workflow and IBM BPM.
Vulnerability Details
CVEID:CVE-2018-15494
**DESCRIPTION:**Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DataGrid component. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/148556 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2011-4969
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input when handling the “location.hash” property. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/82875 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:CVE-2012-6708
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery(strInput) function. A remote attacker could exploit this vulnerability using the to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/138055 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2019-11358
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159633 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Business Automation Workflow | V19.0 |
| V18.0 | |
| IBM Business Process Manager | V8.6 |
| V8.5 | |
| V8.0 |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
Install interim fixes JR61922, JR61948,and JR61957 as appropriate for your current IBM Business Automation Workflow or IBM BPM version.
Note that JR61922 is superseded by JR62228 addressing an issue with profile upgrade in case the ifix has been applied and is reapplied during upgrade to a newer version, which does not yet include the fix.
- IBM Business Automation Workflow
- IBM Business Process Manager Advanced
- IBM Business Process Manager Standard
- IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0 and V19.0
· Upgrade to at least IBM Business Automation Workflow V19.0.0.2 as required by iFixes and then apply iFixes JR61922, JR61948,and JR61957
--OR–
· Apply cumulative fix IBM Business Automation Workflow V20.0.0.1 (planned for end of Q2 2020)
For IBM BPM V8.6
· Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFixes and then apply iFixes JR61922, JR61948,and JR61957
**For IBM BPM V8.5 **· Upgrade to IBM BPM V8.5.7, apply Cumulative Fix 2017.06 and then apply iFixes JR61922, JR61948,and JR61957 (Versions prior to 8.5.5 are not affected by the vulnerability fixed by JR61922)
For IBM BPM V8.0
· Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFixes and then apply iFixes JR61948,and JR61957 (V8.0 is not affected by the vulnerability fixed by JR61922)
Workarounds and Mitigations
None
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.035 Low
EPSS
Percentile
91.5%