Lucene search

K
ibmIBM2F16069B1CE00FDCD4AD5C4385909858D944C8FD13A6559AA138466094D42D63
HistoryJan 26, 2022 - 8:18 a.m.

Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-22960, CVE-2021-22959

2022-01-2608:18:02
www.ibm.com
13
ibm business automation workflow
ibm business process manager
vulnerability
http request smuggling
node.js
cve-2021-22960
cve-2021-22959

EPSS

0.005

Percentile

76.3%

Summary

Configuration Editor in IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to a HTTP request smuggling attack.

Vulnerability Details

CVEID:CVE-2021-22960
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211171 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-22959
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. A remote attacker could send a specially-crafted request with a space (SP) right after the header name before the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211168 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow traditional V21.0.3 not affected
IBM Business Automation Workflow traditional V21.0.2
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.0 - V18.0.0.1 affected
IBM Business Automation Workflow containers V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2 not affected
IBM Business Process Manager V8.6.0.0 - V8.6.0.201803
V8.5.0.0 - V8.5.0.201706 affected

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64322 as soon as practical.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow traditional V21.0.2 Apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V20.0.0.2 Apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V20.0.0.1 Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V19.0.0.3 Apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V19.0.0.2
V19.0.0.1
V18.0.0.2
V18.0.0.1 Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V18.0.0.0 Apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Process Manager V8.6.0.0 - V8.6.0.201803 Upgrade to IBM Business Process Manager Version 8.6 Cumulative Fix 2018.03 and apply JR64322 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Process Manager V8.5.0.0 - V8.5.7.201706 Upgrade to IBM Business Process Manager Version 8.5.7 Cumulative Fix 2017.06 and apply JR64322 for the edition of your product

Workarounds and Mitigations

IBM BPM Configuration Editor is a stand-alone tool for editing properties file. Use a standard text file editor instead.