Lucene search

K
ibmIBME23F7B0954D8804CF73BA94A1EC50BB525067CF5C982BEE6402F9DE045B28EF2
HistoryApr 28, 2022 - 5:02 p.m.

Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2022-0155, CVE-2022-0536, CVE-2021-3749

2022-04-2817:02:02
www.ibm.com
2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.013 Low

EPSS

Percentile

85.8%

Summary

IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to an information disclosure attack.

Vulnerability Details

CVEID:CVE-2021-3749
**DESCRIPTION:**axios is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the trim function. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause an application to consume an excessive amount of CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208438 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-0155
**DESCRIPTION:**follow-redirects could allow a remote attacker to obtain sensitive information, caused by an unauthorized actor. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to obtain private personal information and use this information to launch further attacks against the affected system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-0536
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by a leakage of the Authorization header from the same hostname during HTTPS to HTTP redirection. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain Authorization header information, and use this information to launch further attacks against the affected system.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219551 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow traditional V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.0 - V18.0.0.1 affected
IBM Business Automation Workflow containers V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2 affected
IBM Business Process Manager V8.6.0.0 - V8.6.0.201803 affected
IBM Business Process Manager V8.5.0.0 - V8.5.0.201706 not affected

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64327 as soon as practical. Note that the fix for 21.0.3 was published as a different APAR ID: JR64661.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow traditional V21.0.3 Apply JR64661
IBM Business Automation Workflow containers V21.0.3 Apply IBM Business Automation Workflow containers 21.0.3-IF007 or later.
IBM Business Automation Workflow traditional V21.0.2 Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow containers V21.0.2 Apply IBM Business Automation Workflow containers 21.0.2-IF009 or later or upgrade to IBM Business Automation Workflow containers 21.0.3-IF007 or later
IBM Business Automation Workflow traditional V20.0.0.2 Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V20.0.0.1 Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow containers V20.0.0.1
V20.0.0.2 Upgrade to IBM Business Automation Workflow containers 21.0.3-IF007 or later
IBM Business Automation Workflow traditional V19.0.0.3 Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V19.0.0.2
V19.0.0.1
V18.0.0.2
V18.0.0.1 Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional V18.0.0.0 Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Process Manager V8.6.0.0 - V8.6.0.201803 Upgrade to IBM Business Process Manager Version 8.6 Cumulative Fix 2018.03 and apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.013 Low

EPSS

Percentile

85.8%

Related for E23F7B0954D8804CF73BA94A1EC50BB525067CF5C982BEE6402F9DE045B28EF2