Lucene search

K
ibmIBMEA188C8CDA535DA47C20D5ED87277CF16E1543CB44FCA24C0BD2F9C559D4FC01
HistorySep 14, 2022 - 3:02 p.m.

Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045)

2022-09-1415:02:20
www.ibm.com
8

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

19.7%

Summary

A Spoofing vulnerability has been found in IBM Business Automation Workflow.

Vulnerability Details

CVEID: CVE-2019-4045 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156241&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60556 as soon as practical:

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556
--OR–
· Apply cumulative fix Business Automation Workflow V19.0.0.1

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply C F2 and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.5.0
· Apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_automation_workflowMatch18.0.0.2
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201803
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201706
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201703
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201612
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201609
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201606
OR
ibmbusiness_process_managerMatch8.5.7
OR
ibmbusiness_process_managerMatch8.5.6.2
OR
ibmbusiness_process_managerMatch8.5.6.1
OR
ibmbusiness_process_managerMatch8.5.6
OR
ibmbusiness_process_managerMatch8.5.5
OR
ibmbusiness_process_managerMatch8.5.0.2
OR
ibmbusiness_process_managerMatch8.5.0.1
OR
ibmbusiness_process_managerMatch8.5
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201803
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201706
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201703
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201612
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201609
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201606
OR
ibmbusiness_process_managerMatch8.5.7
OR
ibmbusiness_process_managerMatch8.5.6.2
OR
ibmbusiness_process_managerMatch8.5.6.1
OR
ibmbusiness_process_managerMatch8.5.6
OR
ibmbusiness_process_managerMatch8.5.5
OR
ibmbusiness_process_managerMatch8.5.0.2
OR
ibmbusiness_process_managerMatch8.5.0.1
OR
ibmbusiness_process_managerMatch8.5
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201706
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201703
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201612
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201609
OR
ibmbusiness_process_managerMatch8.5.7.
OR
ibmbusiness_process_managerMatch201606
OR
ibmbusiness_process_managerMatch8.5.7
OR
ibmbusiness_process_managerMatch8.5.6.2
OR
ibmbusiness_process_managerMatch8.5.6.1
OR
ibmbusiness_process_managerMatch8.5.6
OR
ibmbusiness_process_managerMatch8.5.5
OR
ibmbusiness_process_managerMatch8.5.0.2
OR
ibmbusiness_process_managerMatch8.5.0.1
OR
ibmbusiness_process_managerMatch8.5

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

19.7%

Related for EA188C8CDA535DA47C20D5ED87277CF16E1543CB44FCA24C0BD2F9C559D4FC01