IBM79B056938798BE5CBF6001D33E8976C1E6C6CA8B6305687E00EAC57A2CE7FE14Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2020-35618
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
59.6%
Summary
IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to a Denial of Service attack.
Vulnerability Details
CVEID:CVE-2020-36518
**DESCRIPTION:**FasterXML jackson-databind is vulnerable to a denial of service, caused by a Java StackOverflow exception. By using a large depth of nested objects, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | not affected |
| IBM Business Automation Workflow containers | V21.0.3 - V21.0.3-IF009 | |
| V21.0.2 all fixes | ||
| V20.0.0.2 all fixes | ||
| V20.0.0.1 all fixes | affected | |
| IBM Business Automation Workflow traditional | V22.0.1 | not affected |
| IBM Business Automation Workflow traditional | V21.0.1 - V21.0.3 | |
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | ||
| V18.0.0.0 - V18.0.0.2 | affected | |
| IBM Business Process Manager | V8.6.0.0 - V8.6.0.201803 | |
| V8.5.0.0 - V8.5.0.201706 | affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64828 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | No action required |
| IBM Business Automation Workflow containers | V21.0.3 | Apply 21.0.3-IF009 |
| or upgrade to 22.0.1 or later. | ||
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | Upgrade to V21.0.3 and apply 21.0.3-IF009 | |
| or upgrade to 22.0.1 or later. | ||
| IBM Business Automation Workflow traditional | V22.0.1 | No action required |
| IBM Business Automation Workflow traditional | V21.0.3 | Apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Automation Workflow traditional | V21.0.2 | Apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Automation Workflow traditional | V20.0.0.2 | Apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Automation Workflow traditional | V20.0.0.1 | Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Automation Workflow traditional | V19.0.0.3 | Apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Automation Workflow traditional | V19.0.0.1 - V19.0.0.2 | |
| V18.0.0.1 - V18.0.0.2 | Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply JR64828 | |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Automation Workflow traditional | V18.0.0.0 | Apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Process Manager | V8.6.0.0 - V8.6.0.201803 | Upgrade to IBM Business Process Manager Version 8.6 Cumulative Fix 2018.03 and apply JR64828 |
| or upgrade to IBM Business Automation Workflow 22.0.1 or later | ||
| IBM Business Process Manager | V8.5.0.0 - V8.5.7.201706 | An updated version of this open source library is only available for Java 8 and later. IBM Business Process Manager 8.5.7 does not support Java 8. |
| Upgrade to IBM Business Process Manager Version 8.6 Cumulative Fix 2018.03 and apply JR64828 | ||
| or upgrade to IBM Business Automation Workflow 22.0.1 or later |
Workarounds and Mitigations
None
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
59.6%