IBMEA188C8CDA535DA47C20D5ED87277CF16E1543CB44FCA24C0BD2F9C559D4FC01Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045)
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
19.7%
Summary
A Spoofing vulnerability has been found in IBM Business Automation Workflow.
Vulnerability Details
CVEID: CVE-2019-4045 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156241> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2
- IBM Business Process Manager V8.5.5.0
- IBM Business Process Manager V8.5.0.0 through V8.5.0.2
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60556 as soon as practical:
- IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03)
- IBM Business Process Manager Advanced
- IBM Business Process Manager Standard
- IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556
--OR–
· Apply cumulative fix Business Automation Workflow V19.0.0.1
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply C F2 and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.5.0
· Apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1
Workarounds and Mitigations
None
Affected configurations
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
19.7%