Lucene search

K
ibmIBMB7B1A8DAB1A897FBFE8F37F46B5A9BAA67F914F715D69E265E2F4E7D8FBB16AF
HistoryDec 18, 2019 - 6:15 p.m.

Security Bulletin: Security vulnerabilities has been identified with the embedded Content Navigator used by IBM Business Automation Workflow (CVE 2019-4263, CVE-2019-10086, CVE-2019-12402)

2019-12-1818:15:16
www.ibm.com
5

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Summary

IBM Business Automation Workflow has addressed the following security vulnerabilities with the embedded Content Navigator. For more information, refer to the X-Force database entries referred to below.

Vulnerability Details

CVEID: CVE-2019-4263 DESCRIPTION: IBM Content Navigator is vulnerable to local file inclusion, allowing an attacker to access a configuration file in the ICN server.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160015&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-10086 DESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base Score: 5.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2019-12402 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an error in the internal file name encoding algorithm. By persuading a victim to open specially crafted ZIP archive containing malicious input, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/165956&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Business Automation Workflow V18.0.0.1 through V19.0.0.2

Note: CVE-2019-4263 does not affect IBM Business Automation Workflow V19.0.0.2 or later.

Remediation/Fixes

Install interim fix JR61368 as appropriate for your current IBM Business Automation Workflow.

For IBM Business Automation Workflow V18.0.0.1 - V19.0.0.2
· Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix JR61368
--OR–
· Apply cumulative fix IBM Business Automation Workflow V19.0.0.3 (latest recommended)

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm business automation workfloweqany

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P