Operating System:

[WIN][LINUX][AIX]

Published:

31 May 2019

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2019.1952 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1952
 Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer
 used in IBM Business Automation Workflow and IBM Business Process Manager
                                31 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Automation Workflow
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Windows
Impact/Access:     Modify Arbitrary Files -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-2684 CVE-2019-2602 

Reference:         ASB-2019.0118
                   ESB-2019.1948
                   ESB-2019.1934
                   ESB-2019.1896

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10884048

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer used
in IBM Business Automation Workflow and IBM Business Process Manager

Product:             IBM Business Automation Workflow
Software version:    18.0.0.1, 18.0.0.2, 19.0.0.1
Operating system(s): AIX, Linux, Windows
Reference #:         0884048

Security Bulletin

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Versions 6
and 7 used by the desktop version of IBM Process Designer. IBM Process Designer
has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2019-2602
DESCRIPTION: An unspecified vulnerability related to the Java SE Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
159698 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-2684
DESCRIPTION: An unspecified vulnerability related to the Java SE RMI component
could allow an unauthenticated attacker to cause no confidentiality impact,
high integrity impact, and no availability impact.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
159776 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM Business Automation Workflow 18.0.0.1, 18.0.0.2, 19.0.0.1
IBM Business Process Manager 8.6.0.0 - 8.6.0.0 CF2018.03
IBM Business Process Manager 8.5.7 - 8.5.7 CF2017.06
IBM Business Process Manager 8.5.6.0 - 8.5.6.0 CF02
IBM Business Process Manager 8.5.5.0
IBM Business Process Manager 8.5.0.0 - 8.5.0.2
IBM Business Process Manager 8.0.0.0 - 8.0.1.3
IBM Business Process Manager 7.5.0.0 - 7.5.1.2

Remediation/Fixes

Install the interim fix JR61017 that applies to your version:

  o IBM Business Automation Workflow 19.0.0.1
  o IBM Business Automation Workflow 18.0.0.2
  o IBM Business Automation Workflow 18.0.0.1
  o IBM Business Process Manager 8.6.0.0 CF2018.03
  o IBM Business Process Manager 8.6.0.0 CF2017.12
  o IBM Business Process Manager Express 8.6.0.0 CF2017.12
  o IBM Business Process Manager Advanced 8.5.7 CF2017.06
  o IBM Business Process Manager Standard 8.5.7 CF2017.06
  o IBM Business Process Manager Express 8.5.7 CF2017.06

Because support for Java 6 with Business Process Manager ended, if you are on
earlier version of IBM Business Process Manager, upgrade to IBM Business
Process Manager V8.5.7.0 2017.06 or later or IBM Business Automation Workflow
and then apply interim fix JR61017.

Workarounds and Mitigations

None

IBM Java SDK Security Bulletin

Change History

27 May 2019: Original version published

                          Cross reference information
        Product          Component   Platform           Version         Edition
IBM Business Automation            AIX, Linux,  8.6.0.0 CF2018.03,
        Workflow                   Windows      8.6.0.0 CF2017.12
  IBM Business Process             AIX, Linux,  8.5.7 CF2017.06
    Manager Advanced               Windows
  IBM Business Process             AIX, Linux,  8.6.0.0 CF2017.12,
    Manager Express                Windows      8.5.7 CF2017.06
  IBM Business Process             AIX, Linux,  8.5.7 CF2017.06
    Manager Standard               Windows

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXPBcU2aOgq3Tt24GAQhrSBAAkpAW3mEKUPkPflFclU6oALaKDQR/BV69
GOFSKuocoFyNJKuEvc10sE3P/ERzHMutzDGubiqwwPfxC1M3Tt4QvxFNmmV4wySp
J/0wRsLEgwM+63V4fLWJttQGZptQhwSsy7vU14iOTQp+eHImCWpP73Cnn4l2PqUA
H+twBbHIUidM+Tf8QETny3RJQB4kcSUSqY/hhlAmCxbolDrqo+8t6S6u+WTcwSdg
KSYwKXHyvMujbcsCnFJNFqrcyfVHTGrsM5lb/3QdjhKp128NsREYNYIdhG+bHxi2
rt8brmuSWRVYwUGJbJRVBlgk8EnBPGSdmmCe/gh0Cn8pZbTd3AFgGlKZyyHp2R2B
wTr/hOgHLTVVmdoi4iTay2UQnhAc9ybQw9D/wYI3SVli29cI1SGx+T3FACDVlCRq
71T5R90sChLfhe1bYN+1Iwx+2vNfI0MOj9WiHRC0xFDUoNEP9WhTMjBwQd3Lt4nI
blKDYsxfmxtdnoO6nKfurUWF2Vkrcb7UVz53ubqukmdjow5jYbBl+1tzNI1HZnNW
cb3hzBIoNVzST7fnvPXe5zedZIxEsSXRJpkflDUJHWBKA+wGk+cUoPyf0UfG18pM
B9FG89ls/JFxmMAI/mbtRDW0mZw1RzIgIrJiANetzJeUDDxBpbers5JtYPXxS7IF
t4G7LFY++Qs=
=c0s7
-----END PGP SIGNATURE-----