IBMB461A56F6F5D210B9D9B2D34B7F0A3D3B7CEF57C63806083BC443A63C27F4B85Security Bulletin: Spoofing vulnerability affect IBM Business Automation Workflow - Process Federation Server component - CVE-2018-25013
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
65.8%
Summary
Process Federation Server shipped with IBM Business Automation Workflow are vulnerable to a Spoofing attack.
Vulnerability Details
CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
**IBM X-Force ID:**221508
**DESCRIPTION:**Swagger UI could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the OpenAPI definitions. An attacker could exploit this vulnerability using the ?url parameter in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) | Status |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 - V22.0.1-IF001 | affected |
| IBM Business Automation Workflow containers | V21.0.3 - V21.0.3-IF011 | |
| V21.0.2 all fixes | ||
| V20.0.0.2 all fixes | ||
| V20.0.0.1 all fixes | not affected | |
| IBM Business Automation Workflow traditional | V22.0.1 | affected |
| IBM Business Automation Workflow traditional | V21.0.1 - V21.0.3 | |
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | ||
| V18.0.0.0 - V18.0.0.2 | not affected |
For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR65036 as soon as practical.
| Affected Product(s) | Version(s) | Remediation / Fix |
|---|---|---|
| IBM Business Automation Workflow containers | V22.0.1 | Apply 22.0.1-IF002 |
| IBM Business Automation Workflow containers | V21.0.3 | no action required |
| IBM Business Automation Workflow containers | V21.0.2 | |
| V20.0.0.1 - V20.0.0.2 | no action required | |
| IBM Business Automation Workflow traditional | V22.0.1 | Apply JR65036 |
| IBM Business Automation Workflow traditional | V21.0.1 - V21.0.3 | |
| V20.0.0.1 - V20.0.0.2 | ||
| V19.0.0.1 - V19.0.0.3 | ||
| V18.0.0.0 - V18.0.0.2 | no action required |
Workarounds and Mitigations
None
Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.003 Low
EPSS
Percentile
65.8%