Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager

Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 8, which is used by the desktop version of IBM Process Designer in both IBM Business Automation Workflow and IBM Business Process Manager. IBM Process Designer has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2021-35603
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-35550
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Install interim fix JR64646 for your version:

• IBM Business Automation Workflow 21.0.3
• IBM Business Automation Workflow 21.0.2
• IBM Business Automation Workflow 20.0.0.2
• IBM Business Automation Workflow 19.0.0.3
• IBM Business Process Manager 8.6.0.0 CF2018.03
• IBM Business Process Manager Advanced 8.5.7 CF2017.06
• IBM Business Process Manager Standard 8.5.7 CF2017.06
• IBM Business Process Manager Express 8.5.7 CF2017.06

Workarounds and Mitigations

None