IBM390D991E9A7E1046B2F7B32B26E2D37651DC14801048EA4574EAE9A9D63AF482Security Bulletin: Cross-Site Request Forgery vulnerability affects IBM Business Automation Workflow - CVE-2022-42435
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
28.5%
Summary
IBM Business Automation Workflow is vulnerable to a Cross-Site Request Forgery attack.
Vulnerability Details
CVEID:CVE-2022-42435
**DESCRIPTION:**IBM Business Automation Workflow 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, and 22.0.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 238054.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238054 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.2 | not affected |
| IBM Business Automation Workflow containers | V22.0.1 - V22.0.1-IFT005 | |
| V21.0.3 - V21.0.3-IFT015 | ||
| V21.0.2 all fixes | ||
| V20.0.0.2 all fixes | ||
| V20.0.0.1 all fixes | affected | |
| IBM Business Automation Workflow traditional | V22.0.2 | not affected |
| IBM Business Automation Workflow traditional | V22.0.1 | |
| V21.0.1 - V21.0.3.1 | ||
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT160709 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | Apply 22.0.1-IF006 |
| IBM Business Automation Workflow containers | V21.0.3.1 | Apply 21.0.3-IF016 |
| or upgrade to 22.0.1-IF006 or later | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to 21.0.3-IF016 | |
| or upgrade to 22.0.1-IF006 or later | ||
| IBM Business Automation Workflow traditional | V22.0.1 | Apply DT160709 |
| IBM Business Automation Workflow traditional | V21.0.3 | Apply DT160709 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160709 | ||
| IBM Business Automation Workflow traditional | V21.0.2 | Upgrade to IBM Business Automation Workflow 21.0.3.1 and apply DT160709 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160709 | ||
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply DT160709 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160709 | ||
| IBM Business Automation Workflow traditional | V20.0.0.1 | Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply DT160709 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160709 | ||
| IBM Business Automation Workflow traditional | V19.0.0.3 | Apply DT160709 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160709 | ||
| IBM Business Automation Workflow traditional | V19.0.0.1 - V19.0.0.2 | Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply DT160709 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later and apply DT160709 |
Workarounds and Mitigations
None
Affected configurations
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
28.5%