The embedded IBM FileNet Content Manager component, that is shipped with IBM Business Automation Workflow is vulnerable to multiple vulnerabilities.
CVEID:CVE-2021-38965
**DESCRIPTION:**IBM FileNet Content Manager 5.5.4, 5.5.6, and 5.5.7 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 212346.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2021-23926
**DESCRIPTION:**Apache XMLBeans is vulnerable to a denial of service, caused by an XML external entity (XXE) error when processing XML data. By sending a specially-crafted XML request, a remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194818 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
CVEID:CVE-2021-31811
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by an out-of-memory exception while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203615 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-31812
**DESCRIPTION:**Apache PDFBox is vulnerable to a denial of service, caused by an error while loading a file. By persuading a victim to open a specially-crafted PDF file, a remote attacker could exploit this vulnerability to cause the system to enter into an infinite loop.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203587 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) | Status |
---|---|---|
IBM Business Automation Workflow traditional | V21.0.3 | not affected |
IBM Business Automation Workflow traditional | V21.0.2 | |
V20.0.0.1 - V20.0.0.2 | ||
V19.0.0.3 | affected |
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64214 as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Business Automation Workflow traditional | V21.0.2 | Apply JR64214 or upgrade to IBM Business Automation Workflow 21.0.3 |
IBM Business Automation Workflow traditional | V20.0.0.2 | Apply JR64214 or upgrade to IBM Business Automation Workflow 21.0.3 |
IBM Business Automation Workflow traditional | V20.0.0.1 | Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply JR64214 or upgrade to IBM Business Automation Workflow 21.0.3 |
IBM Business Automation Workflow traditional | V19.0.0.3 | Apply JR64214 or upgrade to IBM Business Automation Workflow 21.0.3 |
None