ESB-2019.1161 - [Win][UNIX/Linux][AIX] IBM Business Automation: Multiple vulnerabilities 2019-04-05

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1161
      multiple vulnerabilities discovered in IBM Business Automation
                               5 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Automation
Publisher:         IBM
Operating System:  AIX
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Access Privileged Data         -- Existing Account            
                   Cross-site Request Forgery     -- Remote with User Interaction
                   Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Existing Account            
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Provide Misleading Information -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4080 CVE-2019-4046 CVE-2019-4045
                   CVE-2019-4030 CVE-2018-11212 CVE-2018-10237
                   CVE-2018-2000 CVE-2018-1999 CVE-2018-1997
                   CVE-2018-1996 CVE-2018-1902 CVE-2018-1885

Reference:         ASB-2018.0219
                   ESB-2019.1158
                   ESB-2019.1098.3
                   ESB-2019.1083.2
                   ESB-2019.1067
                   ESB-2019.1059
                   ESB-2019.1056
                   ESB-2019.1055

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10794831
   http://www.ibm.com/support/docview.wss?uid=ibm10870494
   http://www.ibm.com/support/docview.wss?uid=ibm10870496
   http://www.ibm.com/support/docview.wss?uid=ibm10870502
   http://www.ibm.com/support/docview.wss?uid=ibm10870760
   http://www.ibm.com/support/docview.wss?uid=ibm10872352
   http://www.ibm.com/support/docview.wss?uid=ibm10875276
   http://www.ibm.com/support/docview.wss?uid=ibm10875432
   http://www.ibm.com/support/docview.wss?uid=ibm10875436
   http://www.ibm.com/support/docview.wss?uid=ibm10878106
   http://www.ibm.com/support/docview.wss?uid=ibm10878446
   http://www.ibm.com/support/docview.wss?uid=ibm10878663

Comment: This bulletin contains twelve (12) advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Denial of service vulnerability in IBM Business Automation
Workflow (CVE-2018-1997)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Operating system(s): AIX, Linux, Windows

Reference #: 0794831

Modified date: 04 April 2019

Summary

A denial of service vulnerability has been found in IBM Business Automation
Workflow.

Vulnerability Details

CVEID:  CVE-2018-1997
DESCRIPTION: IBM Business Automation Workflow and Business Process Manager are
vulnerable to a denial of service attack. An authenticated attacker might send
a specially crafted request that exhausts server-side memory.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/154774  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03 

- - IBM Business Process Manager Advanced V8.5.7.0 through V8.5.7.0 Cumulative
Fix 2017.06

- - IBM Business Process Manager Advanced V8.5.6.0 through V8.5.6.0 Cumulative
Fix 2

- -IBM Business Process Manager Advanced V8.5.5.0

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR  JR60499   as soon as practical:

  o IBM Business Automation Workflow (including fix for IBM Business Process
    Manager V8.6.0.0 2018.03)
  o IBM Business Process Manager
  o IBM Business Process Manager Advanced
  o IBM Business Process Manager Standard
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60499
Note that Business Automation Workflow 18.0.0.0 is a software bundle that
includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix
for IBM Business Automation Workflow 18.0.0.0, download the fix labeled
"8.6.0.201803-WS-BPM-IFJR60499".  
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1 

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60499
Note that Business Automation Workflow 18.0.0.0 is a software bundle that
includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix
for IBM Business Process Manager V8.6.0.0 CF 2018.03, download the fix labeled
"8.6.0.201803-WS-BPM-IFJR60499".
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply  Cumulative Fix 2017.06 and then apply iFix  JR60499
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply  CF2  and then apply iFix  JR60499
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.5.
. Apply iFix  JR60499
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

Workarounds and Mitigations

None

Change History

4 April 2019: initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM               AIX,
 Business             Linux,     8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process             Windows
  Manager
    IBM               AIX,       8.5.7.CF201706, 8.5.7.CF201703,
 Business             Linux,     8.5.7.CF201612, 8.5.7.CF201609,
  Process             Solaris,   8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Windows, z 8.5.6.1, 8.5.6, 8.5.5
 Advanced             /OS
    IBM               AIX,       8.5.7.CF201706, 8.5.7.CF201703,
 Business             Linux,     8.5.7.CF201612, 8.5.7.CF201609,
  Process             Solaris,   8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Windows    8.5.6.1, 8.5.6, 8.5.5
 Standard
    IBM                          8.6.0.CF201803, 8.6.0.CF201712, 8.6,
 Business             Linux,     8.5.7.CF201706, 8.5.7.CF201703,
  Process             Windows    8.5.7.CF201612, 8.5.7.CF201609,
  Manager                        8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Express                        8.5.6.1, 8.5.6, 8.5.5



================================================================================

Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow
(CVE-2019-4045)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Operating system(s): Platform Independent

Reference #: 0870494

Modified date: 04 April 2019

Summary

A Spoofing vulnerability has been found in IBM Business Automation Workflow.

Vulnerability Details

CVEID:  CVE-2019-4045
DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager
provide embedded document management features. Because of a missing
restriction in an API, a client might spoof the last modified by value of a
document.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/156241  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03 

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR  JR60556   as soon as practical:

  o IBM Business Automation Workflow  (including fix for IBM Business Process
    Manager V8.6.0.0 2018.03)
  o IBM Business Process Manager Advanced
  o IBM Business Process Manager Standard
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60556
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1 

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply  Cumulative Fix 2017.06 and then apply iFix  JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply  C F2 and then apply iFix  JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.5.0
. Apply iFix  JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.0.0 through V8.5.0.2
. Apply iFix  JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

Workarounds and Mitigations

None

Change History

4 April 2019: initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
 Product   Component  Platform                  Version                Edition
   IBM
 Business            Platform    8.6.0.CF201803, 8.6.0.CF201712, 8.6
 Process             Independent
 Manager
   IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business            Platform    8.5.7.CF201612, 8.5.7.CF201609,
 Process             Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
 Manager                         8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
 Advanced                        8.5.0.1, 8.5
   IBM                           8.6.0.CF201803, 8.6.0.CF201712, 8.6,
 Business                        8.5.7.CF201706, 8.5.7.CF201703,
 Process             Platform    8.5.7.CF201612, 8.5.7.CF201609,
 Manager             Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
 Express                         8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
                                 8.5.0.1, 8.5
   IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business            Platform    8.5.7.CF201612, 8.5.7.CF201609,
 Process             Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
 Manager                         8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
 Standard                        8.5.0.1, 8.5



================================================================================

Security Bulletin: Cross-site request forgery vulnerability in IBM Business
Automation Workflow (CVE-2018-2000)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1

Reference #: 0870496

Modified date: 04 April 2019

Summary

A Cross-site request forgery vulnerability has been found in IBM Business
Automation Workflow.

Vulnerability Details

CVEID:  CVE-2018-2000
DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site request
forgery which could allow an attacker to execute malicious and unauthorized
actions transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/154890  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1

- - IBM Business Process Manager V8.6.0.0 Cumulative Fix 2017.12 through
V8.6.0.0 Cumulative Fix 2018.03

Note: A fix for IBM Business Automation Workflow V18.0.0.2 is available even
though IBM Business Automation Workflow V18.0.0.2 is not vulnerable to this
security issue. The intention of this interim fix is to prevent the following
unnecessary warning message in IBM Installation Manager, which you see when
you upgrade IBM Business Automation Workflow: 

"One or more fixes will be uninstalled when IBM(R) Business Automation
Workflow is updated to V18.0.0.2. The update does not address issues that were
resolved previously by the maintenance packages. The problems might return if
fixes for the the following issues are not reapplied or have new fixes applied
to prevent the problems from returning.
- - JR60539 in the package IBM(R) Business Automation Workflow ..."

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR  JR60539  as soon as practical:

  o IBM Business Automation Workflow  (including fix for IBM Business Process
    Manager V8.6.0.0 2018.03)
  o IBM Business Process Manager
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60539
- --OR--
. Apply cumulative fix Business Automation Workflow V18.0.0.2

For IBM Business Process Manager V8.6.0.0 CF 2017.12 through V8.6.0.0 CF
2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60539
- --OR--
. Upgrade to Business Automation Workflow V18.0.0.2 

Workarounds and Mitigations

None

Change History

4 April 2019: initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
          Product           Component Platform         Version         Edition
   IBM Business Process                        8.6.0.CF201803,
          Manager                              8.6.0.CF201712
   IBM Business Process                        8.6.0.CF201803,
      Manager Express                          8.6.0.CF201712



================================================================================

Security Bulletin: Information leakage in IBM Business Automation Workflow
(CVE-2018-1999)

Document information

More support for: IBM Business Automation Workflow

Component: Not Applicable

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Reference #: 0870502

Modified date: 04 April 2019

Summary

An information leakage vulnerability in IBM Business Automation Workflow has
been found.

Vulnerability Details

CVEID:  CVE-2018-1999
DESCRIPTION: IBM Business Process Manager could reveal sensitive version
information about the server from error pages that could aid an attacker in
further attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/154889  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03 

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR  JR60566 as soon as practical:

  o IBM Business Automation Workflow  (including fix for IBM Business Process
    Manager V8.6.0.0 2018.03)
  o IBM Business Process Manager Advanced
  o IBM Business Process Manager Standard
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60566
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1 

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix  JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply  Cumulative Fix 2017.06 and then apply iFix  JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply  C F2 and then apply iFix  JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.5.0
. Apply iFix  JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.0.0 through V8.5.0.2
. Apply iFix  JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For products in extended support:

  o IBM Business Process Manager V8.0.0.0 through V8.0.1.3

. Migrate to Business Automation Workflow V19.0.0.1 

- --OR--

. Contact IBM support to obtain and then apply iFix  JR60566

Workarounds and Mitigations

None

Change History

4 April 2019: initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
 Product   Component Platform                 Version                  Edition
   IBM
 Business                     8.6.0.CF201803, 8.6.0.CF201712, 8.6
 Process
 Manager
   IBM                        8.5.7.CF201706, 8.5.7.CF201703,
 Business                     8.5.7.CF201612, 8.5.7.CF201609,
 Process                      8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1,
 Manager                      8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5,
 Advanced                     8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0
   IBM                        8.6.0.CF201803, 8.6.0.CF201712, 8.6,
 Business                     8.5.7.CF201706, 8.5.7.CF201703,
 Process                      8.5.7.CF201612, 8.5.7.CF201609,
 Manager                      8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1,
 Express                      8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5,
                              8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0
   IBM                        8.5.7.CF201706, 8.5.7.CF201703,
 Business                     8.5.7.CF201612, 8.5.7.CF201609,
 Process                      8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1,
 Manager                      8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5,
 Standard                     8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0



================================================================================

Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2018-10237)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Reference #: 0870760

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, and IBM Business Process Manager. WebSphere Application
Server Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.

Vulnerability Details

Please consult the security bulletin:  Potential denial of service in
WebSphere Application Server (CVE-2018-10237) for vulnerability details and
information about fixes.

Affected Products and Versions

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

Change History

4 April 2019: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
   Product     Component Platform               Version                Edition
 IBM Business
   Process                        8.6.0.CF201803, 8.6.0.CF201712, 8.6
   Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
 IBM Business                     8.5.7.CF201706, 8.5.7.CF201703,
   Process                        8.5.7.CF201612, 8.5.7.CF201609,
   Manager                        8.5.7.CF201606, 8.5.7, 8.5.6.2,
   Express                        8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
                                  8.5.0.1, 8.5
 IBM Business                     8.5.7.CF201706, 8.5.7.CF201703,
   Process                        8.5.7.CF201612, 8.5.7.CF201609,
   Manager                        8.5.7.CF201606, 8.5.7, 8.5.6.2,
   Standard                       8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
                                  8.5.0.1, 8.5
 IBM Business                     8.6, 8.5.7.CF201706, 8.5.7.CF201703,
   Process                        8.5.7.CF201612, 8.5.7.CF201609,
   Manager                        8.5.7.CF201606, 8.5.7, 8.5.6.2,
   Advanced                       8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
                                  8.5.0.1, 8.5
 IBM Business
   Process
   Manager                        8.6.0.0
  Enterprise
 Service Bus



================================================================================

Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2018-1996)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Operating system(s): AIX, Linux, Windows

Reference #: 0872352

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Process Server,
WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. Information
about security vulnerabilities affecting IBM WebSphere Application Server
Traditional have been published in a security bulletin.

Vulnerability Details

Please consult the security bulletin:  Weaker than expected security in
WebSphere Application Server with SP800-131 transition mode (CVE-2018-1996)
 for vulnerability details and information about fixes.

Affected Products and Versions

- - WebSphere Process Server V7.0.0.0 through V7.0.0.5 (and earlier unsupported
releases)

- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases)

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)

- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

Change History

4 April 2019: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business             AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process             Windows
  Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Linux,      8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Windows     8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.5.7.CF201706, 8.5.7.CF201703,
    IBM                           8.5.7.CF201612, 8.5.7.CF201609,
 Business             AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Solaris,    8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             Windows     8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Standard                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6, 8.5.7.CF201706, 8.5.7.CF201703,
    IBM               AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
 Business             Solaris,    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             OS          8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Advanced                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
 WebSphere            Platform    7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
 Lombardi             Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
  Edition                         7.1.0.1, 7.1, 7.0.1
                      AIX, HP-UX,
 WebSphere            IBM i,      7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise            Linux,      7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus           Solaris,    7.0.0.2, 7.0.0.1, 7.0
                      Windows, z/
                      OS
    IBM
 Business
  Process             Platform    8.6.0.0
  Manager             Independent
Enterprise
Service Bus
 WebSphere
Enterprise            Platform
Service Bus           Independent Version Independent
 Registry
  Edition



================================================================================

Security Bulletin: Multiple vulnerabilities have been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (Java CPU January 2019)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1

Operating system(s): AIX, Linux, Windows

Reference #: 0875276

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Enterprise
Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server
Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.

Vulnerability Details

Please consult the security bulletin Multiple Vulnerabilities in IBM(R) Java SDK
affect WebSphere Application Server January 2019 CPU for vulnerability details
and information about fixes.
Additionally,  IBM Business Automation Workflow, IBM Business Process Manager,
and WebSphere Lombardi Edition might be affected by the following
vulnerability:

CVEID: CVE-2018-11212 
DESCRIPTION: libjpeg is vulnerable to a denial of service, caused by
divide-by-zero error in the alloc_sarray function in jmemmgr.c. By persuading
a victim to open a specially-crafted file, a remote attacker could exploit
this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
143429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)

- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases)

Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.

For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.

Change History

4 April 2019: original document published
17 September 2018: added list of affected products

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business             AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process             Windows
  Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Linux,      8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Windows     8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.5.7.CF201706, 8.5.7.CF201703,
    IBM                           8.5.7.CF201612, 8.5.7.CF201609,
 Business             AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Solaris,    8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             Windows     8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Standard                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6, 8.5.7.CF201706, 8.5.7.CF201703,
    IBM               AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
 Business             Solaris,    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             OS          8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Advanced                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
 WebSphere            Platform    7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
 Lombardi             Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
  Edition                         7.1.0.1, 7.1, 7.0.1
                      AIX, HP-UX,
 WebSphere            IBM i,      7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise            Linux,      7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus           Solaris,    7.0.0.2, 7.0.0.1, 7.0
                      Windows, z/
                      OS
    IBM
 Business
  Process             Platform    8.6.0.0
  Manager             Independent
Enterprise
Service Bus
 WebSphere
Enterprise            Platform
Service Bus           Independent Version Independent
 Registry
  Edition



================================================================================

Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2019-4030)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Reference #: 0875432

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, and IBM Business Process Manager. Information about
security vulnerabilities affecting IBM WebSphere Application Server
Traditional have been published in a security bulletin.

Vulnerability Details

Please consult the security bulletin: Cross-site scripting vulnerability in
WebSphere Application Server Admin Console (CVE-2019-4030) for vulnerability
details and information about fixes.

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)

- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases

Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.

For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.

Change History

4 April 2019: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business                         8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process
  Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
 Standard                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
 Advanced                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
    IBM
 Business
  Process                         8.6.0.0
  Manager
Enterprise
Service Bus
 WebSphere            Platform    7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
 Lombardi             Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
  Edition                         7.1.0.1, 7.1, 7.0.1
 WebSphere            Platform    7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise            Independent 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus                       7.0.0.2, 7.0.0.1, 7.0
 WebSphere
Enterprise            Platform
Service Bus           Independent Version Independent
 Registry
  Edition



================================================================================

Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2018-1902)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Operating system(s): AIX, Linux, Windows

Reference #: 0875436

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Enterprise
Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server
Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.

Vulnerability Details

Please consult the security bulletin: Potential Spoofing vulnerability in
WebSphere Application Server (CVE-2018-1902) for vulnerability details and
information about fixes.

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)

- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases

Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.

For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.

Change History

4 April 2019: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business             AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process             Windows
  Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Linux,      8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Windows     8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.5.7.CF201706, 8.5.7.CF201703,
    IBM                           8.5.7.CF201612, 8.5.7.CF201609,
 Business             AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Solaris,    8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             Windows     8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Standard                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6, 8.5.7.CF201706, 8.5.7.CF201703,
    IBM               AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
 Business             Solaris,    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             OS          8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Advanced                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
 WebSphere            Platform    7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
 Lombardi             Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
  Edition                         7.1.0.1, 7.1, 7.0.1
                      AIX, HP-UX,
 WebSphere            IBM i,      7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise            Linux,      7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus           Solaris,    7.0.0.2, 7.0.0.1, 7.0
                      Windows, z/
                      OS
    IBM
 Business
  Process             Platform    8.6.0.0
  Manager             Independent
Enterprise
Service Bus
 WebSphere
Enterprise            Platform
Service Bus           Independent Version Independent
 Registry
  Edition



================================================================================

Security Bulletin: External Service invocation in IBM Business Space affects
IBM Business Automation Workflow and IBM Business Process Manager family
products (CVE-2018-1885)

Document information

More support for: IBM Business Automation Workflow

Component: Not Applicable

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Reference #: 0878106

Modified date: 04 April 2019

Summary

A vulnerability in IBM Business Space can allow an attacker to cause an
external service invocation.

Vulnerability Details

CVEID:  CVE-2018-1885
DESCRIPTION: IBM Business Space could allow an unauthenticated attacker to
obtain sensitve information using a specially cracted HTTP request.
CVSS Base Score: 5.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities
/152020 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03 

- - IBM Business Process Manager Enterprise Service Bus V8.6

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.5.1.2

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60524 as soon as practical:

  o IBM Business Automation Workflow  (including fix for IBM Business Process
    Manager V8.6.0.0 2018.03)
  o IBM Business Process Manager Advanced
  o IBM Business Process Manager Standard
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to at least IBM Business Automation Workflow V18.0.0.1  as required
by iFix and then apply iFix  JR60524
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1 

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to at least IBM BPM 8.6.0.0 CF 2018.03 as required by iFix and then
apply iFix  JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply  Cumulative Fix 2017.06 and then apply iFix  JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply  C F2 and then apply iFix  JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1 

For IBM BPM V8.5.5.0
. Apply iFix  JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.0.0 through V8.5.0.2
. Apply iFix  JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For products in extended support:

  o IBM Business Process Manager V7.5.0.0 through V8.0.1.3

. Migrate to Business Automation Workflow V19.0.0.1 

  o IBM Websphere Enterprise Service Bus V7.0 through V7.5.1.2

. Migrate to IBM Business Process Manager Enterprise Service Bus V8.6

- --OR--

. Contact IBM support to obtain and then apply iFix  JR60524

Workarounds and Mitigations

None

Change History

4 April 2019: initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product    Component  Platform                 Version               Edition
IBM Business
  Process                          8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Manager
                                   8.5.7.CF201706, 8.5.7.CF201703,
IBM Business                       8.5.7.CF201612, 8.5.7.CF201609,
  Process              Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager              Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Advanced                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                   8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                   7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0
                                   8.5.7.CF201706, 8.5.7.CF201703,
IBM Business                       8.5.7.CF201612, 8.5.7.CF201609,
  Process              Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager              Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                          8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                   8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                   7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0
                                   8.5.7.CF201706, 8.5.7.CF201703,
IBM Business                       8.5.7.CF201612, 8.5.7.CF201609,
  Process              Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager              Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Standard                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                   8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                   7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0
IBM Business
  Process              Platform
  Manager              Independent 8.6.0.CF201803, 8.6.0.CF201712, 8.6
 Enterprise
Service Bus



================================================================================

Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2019-4046)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1

Operating system(s): AIX, Linux, Windows

Reference #: 0878446

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Enterprise
Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server
Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.

Vulnerability Details

Please consult the security bulletin: Potential denial of service
vulnerability in WebSphere Application Server (CVE-2019-4046) for
vulnerability details and information about fixes.

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1

- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)

- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases

Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.

For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.

Change History

4 April 2019: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business             AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process             Windows
  Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Linux,      8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Windows     8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.5.7.CF201706, 8.5.7.CF201703,
    IBM                           8.5.7.CF201612, 8.5.7.CF201609,
 Business             AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Solaris,    8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             Windows     8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Standard                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6, 8.5.7.CF201706, 8.5.7.CF201703,
    IBM               AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
 Business             Solaris,    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Process             Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Manager             OS          8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
 Advanced                         8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
 WebSphere            Platform    7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
 Lombardi             Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
  Edition                         7.1.0.1, 7.1, 7.0.1
                      AIX, HP-UX,
 WebSphere            IBM i,      7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise            Linux,      7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus           Solaris,    7.0.0.2, 7.0.0.1, 7.0
                      Windows, z/
                      OS
    IBM
 Business
  Process             Platform    8.6.0.0
  Manager             Independent
Enterprise
Service Bus
 WebSphere
Enterprise            Platform
Service Bus           Independent Version Independent
 Registry
  Edition



================================================================================

Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2019-4080)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1

Operating system(s): Platform Independent

Reference #: 0878663

Modified date: 04 April 2019

Summary

WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, and IBM Business Process Manager. Information about
security vulnerabilities affecting IBM WebSphere Application Server
Traditional have been published in a security bulletin.

Vulnerability Details

Please consult the security bulletin: Potential denial of service in WebSphere
Application Server Admin Console (CVE-2019-4080) for vulnerability details and
information about fixes.

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2

- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)

- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases)

Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.

Change History

4 April 2019: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business                         8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process
  Manager
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
  Express                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
 Standard                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
                                  8.6.0.CF201803, 8.6.0.CF201712, 8.6,
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business                         8.5.7.CF201612, 8.5.7.CF201609,
  Process             Platform    8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager             Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
 Advanced                         8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
                                  8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
                                  7.5.1.1, 7.5.1, 7.5.0.1, 7.5
    IBM
 Business
  Process                         8.6.0.0
  Manager
Enterprise
Service Bus
 WebSphere            Platform    7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
 Lombardi             Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
  Edition                         7.1.0.1, 7.1, 7.0.1
 WebSphere            Platform    7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise            Independent 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus                       7.0.0.2, 7.0.0.1, 7.0
 WebSphere
Enterprise            Platform
Service Bus           Independent Version Independent
 Registry
  Edition

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXKbjfGaOgq3Tt24GAQgtzw/+OKJ/HPGZtRDjH3h5ZRM79LRV9GMaHSIv
EWUHOIRruLx26gpmYvjIwW+SuNb6/z3QN2UL+5iIcbuu4SRNM+G4oaIwrfu3qVM4
oCQtkpAlESZ81Z05qlCk+OpTHU2Tf0Sj0Gmvb10w5ZHYZKLdyH1b4WTWYWG7Kc1x
6/Q4S3S3pjJ5IyxOxG0NdGEPeNqkImcy4EUPlSjfzWCrIRzb8SfGiqDwaqlAAMMK
IdGMAbp59kNM0iok2rLxhocsteCVtGTUt9WXUSFjsI/cc3VrLNWKo0kMMe3dAIyN
q3laSv9Yg1/5YkCgs29rKRBbkM+AHfkEEJrv8fhBmG1rjUXD1cTQwSIxEFyZ4iTS
4VS4HCv2MPwG70vqTezZhPdY+Vn/vLf4ZLn/VoJGC32T46Vv6sz6qxBTKXtR0Lzv
83XCM3hliUjvCl6BZuN8Rn0y2od9u34+ru4yNX9qC6OMzYDfEKjwVSKbHNJSU3vX
nVMpXE4Hhsw5C1vbRsXukzFs3VgvQjIr6fwEWSU3q2YVIpfQDuY73s+6fKJbPebF
PpFRhoKfhQ2FKFw4ai/0z0jhmdqPj2rEsIhxYD/FbPHot4K0yjgPm959p6AVPqPA
9YgZtma7hRoW87exIep+MxLrLcJkRH9P0LqdYqgvk7gudGFJ8Ua5Jz0N314FDjoU
a8mO7irzK0E=
=vKli
-----END PGP SIGNATURE-----

« Back to bulletins