-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1645
       Cross-site scripting in IBM Business Automation Workflow and
            IBM Business Process Manager (BPM) (CVE-2019-4204)
                                10 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Automation Workflow
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Cross-site Scripting -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4204  

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10880499

- --------------------------BEGIN INCLUDED TEXT--------------------

Cross-site scripting in IBM Business Automation Workflow and IBM Business
Process Manager (BPM) (CVE-2019-4204)

Product:             IBM Business Automation Workflow
Software version:    18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1
Operating system(s): Platform Independent
Reference #:         0880499

Security Bulletin

Summary

A cross-site scripting vulnerability in IBM Business Automation Workflow and
IBM BPM has been found.

Vulnerability Details

CVEID: CVE-2019-4204
DESCRIPTION: IBM Business Automation Workflow is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
159125 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR JR60830 as soon as practical:

  o IBM Business Automation Workflow (including fix for IBM Business Process
    Manager V8.6.0.0 2018.03)
  o IBM Business Process Manager Advanced
  o IBM Business Process Manager Standard
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1
. Upgrade toat least IBM Business Automation Workflow V18.0.0.1as required by
iFix and then apply iFix JR60830
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.2 (planned for end
of Q2 2019)

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to at least IBM BPM 8.6.0.0 CF 2017.12 as required by iFix and then
apply iFix JR60830
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply Cumulative Fix 2017.06 and then apply iFix JR60830
- --OR--
. Upgrade to Business Automation Workflow V19.0.0.1

Workarounds and Mitigations

None

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity
service. If you are not subscribed, see the instructions on the System z
Security web site . Security and integrity APARs and associated fixes will be
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

Change History

09 May 2019: initial version published

                          Cross reference information
  Product    Component  Platform                 Version                Edition
IBM Business           Platform
  Process              Independent 8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Manager
IBM Business                       8.5.7.CF201706, 8.5.7.CF201703,
  Process              Platform    8.5.7.CF201612, 8.5.7.CF201609,
  Manager              Independent 8.5.7.CF201606, 8.5.7
  Advanced
IBM Business                       8.6.0.CF201803, 8.6.0.CF201712, 8.6,
  Process              Platform    8.5.7.CF201706, 8.5.7.CF201703,
  Manager              Independent 8.5.7.CF201612, 8.5.7.CF201609,
  Express                          8.5.7.CF201606, 8.5.7
IBM Business                       8.5.7.CF201706, 8.5.7.CF201703,
  Process              Platform    8.5.7.CF201612, 8.5.7.CF201609,
  Manager              Independent 8.5.7.CF201606, 8.5.7
  Standard

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXNThHGaOgq3Tt24GAQg7cRAAnrK0cve1FAgmPlg4m7/1MwtrjJIodiLX
dDpS+aqm3f9BdV54gyIqJq9oqPpgkfXe9OSOJwUKnlxTSBSbkf1rSalKUs8Ppt1y
3tA6Ll5DpS7ZaK67qUjdn7E1K3r/v4LSAMwSSOSyJEK2ee/6zRT3hl8S83OPbgxb
GJhsaLFeHYjW67kMPhQ9JOzHAQfeLa6wO3mgVgAMczzNhd/4A6WUafnaGcU9Ix9u
DxaOnHGGxv4mRLYswQvVlM79bfm3SAYcWgshRljZEuPe5zVN2PKvC2yd6rublBBS
K8Tqzkor0HL9tWzVw/+D8zd+8HtMdLVOhaTWbdqn28gkAdUVO5idpdN+/TVTQsAH
0geUTYXmT7/Lss4gUUm0Ji32EySpACv5knPGcvWGth43I6SP2lOFr+JsWO+pb8zt
EnRGOs8sAiK0z/3VooteZgZ0wePHu1fs8OKdLIc6/LXHgiImGMc61M0GFdQmRY17
Uy1VAFfGrqGijJ7Xv+sV3ZhVS2ul+acmMVLqCMVvRg4rkwp7om05zfFJVIyvQ9ao
eW1b1T8QKSWiC19RlI1qm4DSqnkutmEFaQiTrwTwqQZKt63d/ED0d4CLJh+p+5vo
981kOivLBiiEcGVTyFVygF+NkPXMMtMKY6cS8EfGzgLuhrw/lB4fHb9sf0NNHd14
UzKodcbw7Vw=
=agTF
-----END PGP SIGNATURE-----