Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1161
multiple vulnerabilities discovered in IBM Business Automation
5 April 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Business Automation
Publisher: IBM
Operating System: AIX
UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Access Privileged Data -- Existing Account
Cross-site Request Forgery -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Cross-site Scripting -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Provide Misleading Information -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4080 CVE-2019-4046 CVE-2019-4045
CVE-2019-4030 CVE-2018-11212 CVE-2018-10237
CVE-2018-2000 CVE-2018-1999 CVE-2018-1997
CVE-2018-1996 CVE-2018-1902 CVE-2018-1885
Reference: ASB-2018.0219
ESB-2019.1158
ESB-2019.1098.3
ESB-2019.1083.2
ESB-2019.1067
ESB-2019.1059
ESB-2019.1056
ESB-2019.1055
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10794831
http://www.ibm.com/support/docview.wss?uid=ibm10870494
http://www.ibm.com/support/docview.wss?uid=ibm10870496
http://www.ibm.com/support/docview.wss?uid=ibm10870502
http://www.ibm.com/support/docview.wss?uid=ibm10870760
http://www.ibm.com/support/docview.wss?uid=ibm10872352
http://www.ibm.com/support/docview.wss?uid=ibm10875276
http://www.ibm.com/support/docview.wss?uid=ibm10875432
http://www.ibm.com/support/docview.wss?uid=ibm10875436
http://www.ibm.com/support/docview.wss?uid=ibm10878106
http://www.ibm.com/support/docview.wss?uid=ibm10878446
http://www.ibm.com/support/docview.wss?uid=ibm10878663
Comment: This bulletin contains twelve (12) advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Denial of service vulnerability in IBM Business Automation
Workflow (CVE-2018-1997)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Operating system(s): AIX, Linux, Windows
Reference #: 0794831
Modified date: 04 April 2019
Summary
A denial of service vulnerability has been found in IBM Business Automation
Workflow.
Vulnerability Details
CVEID: CVE-2018-1997
DESCRIPTION: IBM Business Automation Workflow and Business Process Manager are
vulnerable to a denial of service attack. An authenticated attacker might send
a specially crafted request that exhausts server-side memory.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/154774 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager Advanced V8.5.7.0 through V8.5.7.0 Cumulative
Fix 2017.06
- - IBM Business Process Manager Advanced V8.5.6.0 through V8.5.6.0 Cumulative
Fix 2
- -IBM Business Process Manager Advanced V8.5.5.0
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60499 as soon as practical:
o IBM Business Automation Workflow (including fix for IBM Business Process
Manager V8.6.0.0 2018.03)
o IBM Business Process Manager
o IBM Business Process Manager Advanced
o IBM Business Process Manager Standard
o IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60499
Note that Business Automation Workflow 18.0.0.0 is a software bundle that
includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix
for IBM Business Automation Workflow 18.0.0.0, download the fix labeled
"8.6.0.201803-WS-BPM-IFJR60499".
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60499
Note that Business Automation Workflow 18.0.0.0 is a software bundle that
includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix
for IBM Business Process Manager V8.6.0.0 CF 2018.03, download the fix labeled
"8.6.0.201803-WS-BPM-IFJR60499".
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply Cumulative Fix 2017.06 and then apply iFix JR60499
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply CF2 and then apply iFix JR60499
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.5.
. Apply iFix JR60499
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
Workarounds and Mitigations
None
Change History
4 April 2019: initial version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM AIX,
Business Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process Windows
Manager
IBM AIX, 8.5.7.CF201706, 8.5.7.CF201703,
Business Linux, 8.5.7.CF201612, 8.5.7.CF201609,
Process Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Windows, z 8.5.6.1, 8.5.6, 8.5.5
Advanced /OS
IBM AIX, 8.5.7.CF201706, 8.5.7.CF201703,
Business Linux, 8.5.7.CF201612, 8.5.7.CF201609,
Process Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Windows 8.5.6.1, 8.5.6, 8.5.5
Standard
IBM 8.6.0.CF201803, 8.6.0.CF201712, 8.6,
Business Linux, 8.5.7.CF201706, 8.5.7.CF201703,
Process Windows 8.5.7.CF201612, 8.5.7.CF201609,
Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Express 8.5.6.1, 8.5.6, 8.5.5
================================================================================
Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow
(CVE-2019-4045)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Operating system(s): Platform Independent
Reference #: 0870494
Modified date: 04 April 2019
Summary
A Spoofing vulnerability has been found in IBM Business Automation Workflow.
Vulnerability Details
CVEID: CVE-2019-4045
DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager
provide embedded document management features. Because of a missing
restriction in an API, a client might spoof the last modified by value of a
document.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/156241 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60556 as soon as practical:
o IBM Business Automation Workflow (including fix for IBM Business Process
Manager V8.6.0.0 2018.03)
o IBM Business Process Manager Advanced
o IBM Business Process Manager Standard
o IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60556
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply Cumulative Fix 2017.06 and then apply iFix JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply C F2 and then apply iFix JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.5.0
. Apply iFix JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.0.0 through V8.5.0.2
. Apply iFix JR60556
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
Workarounds and Mitigations
None
Change History
4 April 2019: initial version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business Platform 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process Independent
Manager
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business Platform 8.5.7.CF201612, 8.5.7.CF201609,
Process Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Advanced 8.5.0.1, 8.5
IBM 8.6.0.CF201803, 8.6.0.CF201712, 8.6,
Business 8.5.7.CF201706, 8.5.7.CF201703,
Process Platform 8.5.7.CF201612, 8.5.7.CF201609,
Manager Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Express 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
8.5.0.1, 8.5
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business Platform 8.5.7.CF201612, 8.5.7.CF201609,
Process Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Standard 8.5.0.1, 8.5
================================================================================
Security Bulletin: Cross-site request forgery vulnerability in IBM Business
Automation Workflow (CVE-2018-2000)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1
Reference #: 0870496
Modified date: 04 April 2019
Summary
A Cross-site request forgery vulnerability has been found in IBM Business
Automation Workflow.
Vulnerability Details
CVEID: CVE-2018-2000
DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site request
forgery which could allow an attacker to execute malicious and unauthorized
actions transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/154890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
- - IBM Business Process Manager V8.6.0.0 Cumulative Fix 2017.12 through
V8.6.0.0 Cumulative Fix 2018.03
Note: A fix for IBM Business Automation Workflow V18.0.0.2 is available even
though IBM Business Automation Workflow V18.0.0.2 is not vulnerable to this
security issue. The intention of this interim fix is to prevent the following
unnecessary warning message in IBM Installation Manager, which you see when
you upgrade IBM Business Automation Workflow:
"One or more fixes will be uninstalled when IBM(R) Business Automation
Workflow is updated to V18.0.0.2. The update does not address issues that were
resolved previously by the maintenance packages. The problems might return if
fixes for the the following issues are not reapplied or have new fixes applied
to prevent the problems from returning.
- - JR60539 in the package IBM(R) Business Automation Workflow ..."
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60539 as soon as practical:
o IBM Business Automation Workflow (including fix for IBM Business Process
Manager V8.6.0.0 2018.03)
o IBM Business Process Manager
o IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60539
- --OR--
. Apply cumulative fix Business Automation Workflow V18.0.0.2
For IBM Business Process Manager V8.6.0.0 CF 2017.12 through V8.6.0.0 CF
2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60539
- --OR--
. Upgrade to Business Automation Workflow V18.0.0.2
Workarounds and Mitigations
None
Change History
4 April 2019: initial version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Business Process 8.6.0.CF201803,
Manager 8.6.0.CF201712
IBM Business Process 8.6.0.CF201803,
Manager Express 8.6.0.CF201712
================================================================================
Security Bulletin: Information leakage in IBM Business Automation Workflow
(CVE-2018-1999)
Document information
More support for: IBM Business Automation Workflow
Component: Not Applicable
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Reference #: 0870502
Modified date: 04 April 2019
Summary
An information leakage vulnerability in IBM Business Automation Workflow has
been found.
Vulnerability Details
CVEID: CVE-2018-1999
DESCRIPTION: IBM Business Process Manager could reveal sensitive version
information about the server from error pages that could aid an attacker in
further attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/154889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60566 as soon as practical:
o IBM Business Automation Workflow (including fix for IBM Business Process
Manager V8.6.0.0 2018.03)
o IBM Business Process Manager Advanced
o IBM Business Process Manager Standard
o IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60566
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to minimal cumulative fix levels as required by iFix and then apply
iFix JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply Cumulative Fix 2017.06 and then apply iFix JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply C F2 and then apply iFix JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.5.0
. Apply iFix JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.0.0 through V8.5.0.2
. Apply iFix JR60566
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For products in extended support:
o IBM Business Process Manager V8.0.0.0 through V8.0.1.3
. Migrate to Business Automation Workflow V19.0.0.1
- --OR--
. Contact IBM support to obtain and then apply iFix JR60566
Workarounds and Mitigations
None
Change History
4 April 2019: initial version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process
Manager
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1,
Manager 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5,
Advanced 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0
IBM 8.6.0.CF201803, 8.6.0.CF201712, 8.6,
Business 8.5.7.CF201706, 8.5.7.CF201703,
Process 8.5.7.CF201612, 8.5.7.CF201609,
Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1,
Express 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5,
8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1,
Manager 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5,
Standard 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0
================================================================================
Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2018-10237)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Reference #: 0870760
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, and IBM Business Process Manager. WebSphere Application
Server Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.
Vulnerability Details
Please consult the security bulletin: Potential denial of service in
WebSphere Application Server (CVE-2018-10237) for vulnerability details and
information about fixes.
Affected Products and Versions
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
Change History
4 April 2019: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Business
Process 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM Business 8.5.7.CF201706, 8.5.7.CF201703,
Process 8.5.7.CF201612, 8.5.7.CF201609,
Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Express 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
8.5.0.1, 8.5
IBM Business 8.5.7.CF201706, 8.5.7.CF201703,
Process 8.5.7.CF201612, 8.5.7.CF201609,
Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Standard 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
8.5.0.1, 8.5
IBM Business 8.6, 8.5.7.CF201706, 8.5.7.CF201703,
Process 8.5.7.CF201612, 8.5.7.CF201609,
Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Advanced 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
8.5.0.1, 8.5
IBM Business
Process
Manager 8.6.0.0
Enterprise
Service Bus
================================================================================
Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2018-1996)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Operating system(s): AIX, Linux, Windows
Reference #: 0872352
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Process Server,
WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. Information
about security vulnerabilities affecting IBM WebSphere Application Server
Traditional have been published in a security bulletin.
Vulnerability Details
Please consult the security bulletin: Weaker than expected security in
WebSphere Application Server with SP800-131 transition mode (CVE-2018-1996)
for vulnerability details and information about fixes.
Affected Products and Versions
- - WebSphere Process Server V7.0.0.0 through V7.0.0.5 (and earlier unsupported
releases)
- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases)
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)
- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
Change History
4 April 2019: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process Windows
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.5.7.CF201706, 8.5.7.CF201703,
IBM 8.5.7.CF201612, 8.5.7.CF201609,
Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6, 8.5.7.CF201706, 8.5.7.CF201703,
IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
Edition 7.1.0.1, 7.1, 7.0.1
AIX, HP-UX,
WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0
Windows, z/
OS
IBM
Business
Process Platform 8.6.0.0
Manager Independent
Enterprise
Service Bus
WebSphere
Enterprise Platform
Service Bus Independent Version Independent
Registry
Edition
================================================================================
Security Bulletin: Multiple vulnerabilities have been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (Java CPU January 2019)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1
Operating system(s): AIX, Linux, Windows
Reference #: 0875276
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Enterprise
Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server
Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.
Vulnerability Details
Please consult the security bulletin Multiple Vulnerabilities in IBM(R) Java SDK
affect WebSphere Application Server January 2019 CPU for vulnerability details
and information about fixes.
Additionally, IBM Business Automation Workflow, IBM Business Process Manager,
and WebSphere Lombardi Edition might be affected by the following
vulnerability:
CVEID: CVE-2018-11212
DESCRIPTION: libjpeg is vulnerable to a denial of service, caused by
divide-by-zero error in the alloc_sarray function in jmemmgr.c. By persuading
a victim to open a specially-crafted file, a remote attacker could exploit
this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
143429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)
- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases)
Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.
For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.
Change History
4 April 2019: original document published
17 September 2018: added list of affected products
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process Windows
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.5.7.CF201706, 8.5.7.CF201703,
IBM 8.5.7.CF201612, 8.5.7.CF201609,
Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6, 8.5.7.CF201706, 8.5.7.CF201703,
IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
Edition 7.1.0.1, 7.1, 7.0.1
AIX, HP-UX,
WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0
Windows, z/
OS
IBM
Business
Process Platform 8.6.0.0
Manager Independent
Enterprise
Service Bus
WebSphere
Enterprise Platform
Service Bus Independent Version Independent
Registry
Edition
================================================================================
Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2019-4030)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Reference #: 0875432
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, and IBM Business Process Manager. Information about
security vulnerabilities affecting IBM WebSphere Application Server
Traditional have been published in a security bulletin.
Vulnerability Details
Please consult the security bulletin: Cross-site scripting vulnerability in
WebSphere Application Server Admin Console (CVE-2019-4030) for vulnerability
details and information about fixes.
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)
- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases
Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.
For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.
Change History
4 April 2019: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Standard 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Advanced 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
IBM
Business
Process 8.6.0.0
Manager
Enterprise
Service Bus
WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
Edition 7.1.0.1, 7.1, 7.0.1
WebSphere Platform 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise Independent 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus 7.0.0.2, 7.0.0.1, 7.0
WebSphere
Enterprise Platform
Service Bus Independent Version Independent
Registry
Edition
================================================================================
Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2018-1902)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Operating system(s): AIX, Linux, Windows
Reference #: 0875436
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Enterprise
Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server
Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.
Vulnerability Details
Please consult the security bulletin: Potential Spoofing vulnerability in
WebSphere Application Server (CVE-2018-1902) for vulnerability details and
information about fixes.
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)
- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases
Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.
For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.
Change History
4 April 2019: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process Windows
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.5.7.CF201706, 8.5.7.CF201703,
IBM 8.5.7.CF201612, 8.5.7.CF201609,
Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6, 8.5.7.CF201706, 8.5.7.CF201703,
IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
Edition 7.1.0.1, 7.1, 7.0.1
AIX, HP-UX,
WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0
Windows, z/
OS
IBM
Business
Process Platform 8.6.0.0
Manager Independent
Enterprise
Service Bus
WebSphere
Enterprise Platform
Service Bus Independent Version Independent
Registry
Edition
================================================================================
Security Bulletin: External Service invocation in IBM Business Space affects
IBM Business Automation Workflow and IBM Business Process Manager family
products (CVE-2018-1885)
Document information
More support for: IBM Business Automation Workflow
Component: Not Applicable
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2
Reference #: 0878106
Modified date: 04 April 2019
Summary
A vulnerability in IBM Business Space can allow an attacker to cause an
external service invocation.
Vulnerability Details
CVEID: CVE-2018-1885
DESCRIPTION: IBM Business Space could allow an unauthenticated attacker to
obtain sensitve information using a specially cracted HTTP request.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities
/152020 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager Enterprise Service Bus V8.6
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.5.1.2
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60524 as soon as practical:
o IBM Business Automation Workflow (including fix for IBM Business Process
Manager V8.6.0.0 2018.03)
o IBM Business Process Manager Advanced
o IBM Business Process Manager Standard
o IBM Business Process Manager Express
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
. Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required
by iFix and then apply iFix JR60524
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.1
For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to at least IBM BPM 8.6.0.0 CF 2018.03 as required by iFix and then
apply iFix JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply Cumulative Fix 2017.06 and then apply iFix JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
. Apply C F2 and then apply iFix JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.5.0
. Apply iFix JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For IBM BPM V8.5.0.0 through V8.5.0.2
. Apply iFix JR60524
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1
For products in extended support:
o IBM Business Process Manager V7.5.0.0 through V8.0.1.3
. Migrate to Business Automation Workflow V19.0.0.1
o IBM Websphere Enterprise Service Bus V7.0 through V7.5.1.2
. Migrate to IBM Business Process Manager Enterprise Service Bus V8.6
- --OR--
. Contact IBM support to obtain and then apply iFix JR60524
Workarounds and Mitigations
None
Change History
4 April 2019: initial version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM Business
Process 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Manager
8.5.7.CF201706, 8.5.7.CF201703,
IBM Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Advanced 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0
8.5.7.CF201706, 8.5.7.CF201703,
IBM Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0
8.5.7.CF201706, 8.5.7.CF201703,
IBM Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Standard 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0
IBM Business
Process Platform
Manager Independent 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Enterprise
Service Bus
================================================================================
Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2019-4046)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1
Operating system(s): AIX, Linux, Windows
Reference #: 0878446
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, IBM Business Process Manager, WebSphere Enterprise
Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server
Liberty is shipped as a component of the optional BPM component Process
Federation Server and User Management Service. Information about security
vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM
WebSphere Application Server Liberty have been published in a security
bulletin.
Vulnerability Details
Please consult the security bulletin: Potential denial of service
vulnerability in WebSphere Application Server (CVE-2019-4046) for
vulnerability details and information about fixes.
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1
- - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through
V8.6.0.0 Cumulative Fix 2018.03
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)
- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases
Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.
For earlier and unsupported versions of the products, IBM recommends upgrading
to a fixed, supported version of the product.
Change History
4 April 2019: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process Windows
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.5.7.CF201706, 8.5.7.CF201703,
IBM 8.5.7.CF201612, 8.5.7.CF201609,
Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6, 8.5.7.CF201706, 8.5.7.CF201703,
IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609,
Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
Edition 7.1.0.1, 7.1, 7.0.1
AIX, HP-UX,
WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0
Windows, z/
OS
IBM
Business
Process Platform 8.6.0.0
Manager Independent
Enterprise
Service Bus
WebSphere
Enterprise Platform
Service Bus Independent Version Independent
Registry
Edition
================================================================================
Security Bulletin: A security vulnerability has been identified in IBM
WebSphere Application Server shipped with IBM Digital Business Automation
Workflow family products (CVE-2019-4080)
Document information
More support for: IBM Business Automation Workflow
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1
Operating system(s): Platform Independent
Reference #: 0878663
Modified date: 04 April 2019
Summary
WebSphere Application Server is shipped as a component of IBM Business
Automation Workflow, and IBM Business Process Manager. Information about
security vulnerabilities affecting IBM WebSphere Application Server
Traditional have been published in a security bulletin.
Vulnerability Details
Please consult the security bulletin: Potential denial of service in WebSphere
Application Server Admin Console (CVE-2019-4080) for vulnerability details and
information about fixes.
Affected Products and Versions
- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1
- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03
- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06
- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- - IBM Business Process Manager V8.5.5.0
- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2
- - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier
unsupported releases)
- - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier
unsupported releases)
Note that Cumulative Fixes cannot automatically install interim fixes for the
base Application Server. It is important to follow the complete installation
instructions and manually ensure that recommended security fixes are
installed.
Change History
4 April 2019: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Product Component Platform Version Edition
IBM
Business 8.6.0.CF201803, 8.6.0.CF201712, 8.6
Process
Manager
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Standard 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
8.6.0.CF201803, 8.6.0.CF201712, 8.6,
IBM 8.5.7.CF201706, 8.5.7.CF201703,
Business 8.5.7.CF201612, 8.5.7.CF201609,
Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2,
Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2,
Advanced 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2,
8.0.1.1, 8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1, 7.5
IBM
Business
Process 8.6.0.0
Manager
Enterprise
Service Bus
WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2,
Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2,
Edition 7.1.0.1, 7.1, 7.0.1
WebSphere Platform 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1,
Enterprise Independent 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3,
Service Bus 7.0.0.2, 7.0.0.1, 7.0
WebSphere
Enterprise Platform
Service Bus Independent Version Independent
Registry
Edition
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXKbjfGaOgq3Tt24GAQgtzw/+OKJ/HPGZtRDjH3h5ZRM79LRV9GMaHSIv
EWUHOIRruLx26gpmYvjIwW+SuNb6/z3QN2UL+5iIcbuu4SRNM+G4oaIwrfu3qVM4
oCQtkpAlESZ81Z05qlCk+OpTHU2Tf0Sj0Gmvb10w5ZHYZKLdyH1b4WTWYWG7Kc1x
6/Q4S3S3pjJ5IyxOxG0NdGEPeNqkImcy4EUPlSjfzWCrIRzb8SfGiqDwaqlAAMMK
IdGMAbp59kNM0iok2rLxhocsteCVtGTUt9WXUSFjsI/cc3VrLNWKo0kMMe3dAIyN
q3laSv9Yg1/5YkCgs29rKRBbkM+AHfkEEJrv8fhBmG1rjUXD1cTQwSIxEFyZ4iTS
4VS4HCv2MPwG70vqTezZhPdY+Vn/vLf4ZLn/VoJGC32T46Vv6sz6qxBTKXtR0Lzv
83XCM3hliUjvCl6BZuN8Rn0y2od9u34+ru4yNX9qC6OMzYDfEKjwVSKbHNJSU3vX
nVMpXE4Hhsw5C1vbRsXukzFs3VgvQjIr6fwEWSU3q2YVIpfQDuY73s+6fKJbPebF
PpFRhoKfhQ2FKFw4ai/0z0jhmdqPj2rEsIhxYD/FbPHot4K0yjgPm959p6AVPqPA
9YgZtma7hRoW87exIep+MxLrLcJkRH9P0LqdYqgvk7gudGFJ8Ua5Jz0N314FDjoU
a8mO7irzK0E=
=vKli
-----END PGP SIGNATURE-----