Security Bulletin: Cross-Site Scripting vulnerability in IBM Business Automation Workflow (CVE-2018-1849)

Summary

A Cross-Site Scripting vulnerability has been found in Business Process Choreographer (BPC) Explorer of IBM Business Automation Workflow.

Vulnerability Details

CVEID: CVE-2018-1849
DESCRIPTION: IBM Business Process Manager (BPM) is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially disclosing credentials in a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/150948 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager Advanced V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager Advanced V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- IBM Business Process Manager Advanced V8.5.5.0

- IBM Business Process Manager Advanced V8.5.0.0 through V8.5.0.2

- IBM Business Process Manager Advanced V8.0.0.0 through V8.0.1.3

- IBM Business Process Manager Advanced V7.5.0.0 through V7.5.1.2

- earlier unsupported version of WebSphere Process Server

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60177 as soon as practical:

• IBM Business Automation Workflow
• IBM Business Process Manager
• IBM Business Process Manager Advanced

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60177
Note that Business Automation Workflow 18.0.0.0 is a software bundle that includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix for IBM Business Automation Workflow 18.0.0.0, download the fix labeled “8.6.0.201803-WS-BPM-IFJR60177”.
--OR–
· Apply cumulative fix Business Automation Workflow V18.0.0.2

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60177
Note that Business Automation Workflow 18.0.0.0 is a software bundle that includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix for IBM Business Process Manager V8.6.0.0 CF 2018.03, download the fix labeled “8.6.0.201803-WS-BPM-IFJR60177”.
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply CF2 and then apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2

For IBM BPM V8.5.5.0
· Apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2

For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60177
--OR–
· Upgrade to Business Automation Workflow V18.0.0.2

For products in extended support:

• IBM Business Process Manager V7.5.0.0 through V7.5.1.2 *IBM Business Process Manager V8.0.0.0 through V8.0.1.3

· Migrate to Business Automation Workflow V18.0.0.2

--OR–

· Contact IBM support to obtain and then apply iFix JR60177

Workarounds and Mitigations

None