Security Bulletin: Reverse tabnabbing vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-4490

2020-05-2816:31:23

www.ibm.com

0.001 Low

EPSS

Percentile

36.6%

JSON

Summary

IBM Business Process Manager (Process Center) and IBM Business Automation Workflow (Workflow Center) are vulnerable to a reverse tabnabbing vulnerability.

Vulnerability Details

CVEID:CVE-2020-4490
**DESCRIPTION:**IBM Business Automation Workflow and IBM Business Process Manager could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a vitcim to a phishing site.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181989 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Business Automation Workflow	V19.0
V18.0
IBM Business Process Manager	V8.6
V8.5
V8.0

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR62210 as soon as practical:

IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03)
IBM Business Process Manager Advanced
IBM Business Process Manager Standard
IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0 and V19.0
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR62210
--OR–
· Apply cumulative fix Business Automation Workflow V20.0.0.1 or later (targeted availability 2Q 2020)

For IBM Business Process Manager V8.6
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR62210
--OR–
· Upgrade to Business Automation Workflow V20.0.0.1 or later (targeted availability 2Q 2020)

For IBM BPM V8.5
· Upgrade to IBM BPM V8.5.7, apply Cumulative Fix 2017.06 and then apply iFix JR62210
--OR–
· Upgrade to Business Automation Workflow V20.0.0.1 or later (targeted availability 2Q 2020)

For IBM BPM V8.0
· Upgrade to IBM BPM V8.0.1, apply Fix Pack 3 and then apply iFix JR62210
--OR–
· Upgrade to Business Automation Workflow V20.0.0.1 or later (targeted availability 2Q 2020)

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm business process manager advancedeq8.6
ibm business process manager advancedeq8.5.7.
ibm business process manager advancedeq201706
ibm business process manager advancedeq8.5.7.
ibm business process manager advancedeq201703
ibm business process manager advancedeq8.5.7.
ibm business process manager advancedeq201612
ibm business process manager advancedeq8.5.7.
ibm business process manager advancedeq201609
ibm business process manager advancedeq8.5.7.

Name	Operator	Version
ibm business process manager advanced	eq	8.6
ibm business process manager advanced	eq	8.5.7.
ibm business process manager advanced	eq	201706
ibm business process manager advanced	eq	8.5.7.
ibm business process manager advanced	eq	201703
ibm business process manager advanced	eq	8.5.7.
ibm business process manager advanced	eq	201612
ibm business process manager advanced	eq	8.5.7.
ibm business process manager advanced	eq	201609
ibm business process manager advanced	eq	8.5.7.

Rows per page:

1-10 of 781

0.001 Low

EPSS

Percentile

36.6%

JSON

Related for 33197D8DE793F5CEB8E812F3178F392CEE39D83561E21F7DA08D98C0431899F1