-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.2922
 Reverse tabnabbing vulnerability in IBM Business Automation Workflow and
            IBM Business Process Manager (BPM) (CVE-2019-4425)
                               5 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Automation Workflow
Publisher:         IBM
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4425  

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10959261

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Reverse tabnabbing vulnerability in IBM Business Automation
Workflow and IBM Business Process Manager (BPM) (CVE-2019-4425)

Document information

More support for: IBM Business Automation Workflow

Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2

Operating system(s): Platform Independent

Reference #: 0959261

Modified date: 02 August 2019

Summary

A reverse tabnabbing vulnerability in IBM Business Automation Workflow and IBM
BPM has been found.

Vulnerability Details

CVEID: CVE-2019-4425
DESCRIPTION: IBM Business Automation Workflow could allow a user to obtain
highly sensitive information from another user by inserting links that would
be clicked on by unsuspecting users.
CVSS Base Score: 5.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162771 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix
2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix
2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

Remediation/Fixes

Install interim fix JR61123 as appropriate for your current IBM Business
Automation Workflow or IBM BPM version.

  o IBM Business Automation Workflow
  o IBM Business Process Manager Advanced
  o IBM Business Process Manager Standard
  o IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2
. Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required
by iFix and then apply iFix JR61123
- --OR--
. Apply cumulative fix IBM Business Automation Workflow V19.0.0.3

For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
. Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFix and then
apply iFix JR61123

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
. Apply Cumulative Fix 2017.06 and then apply iFix JR61123

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
. Apply CF2 as required by iFix and then apply iFix JR61123

For IBM BPM V8.5.5.0 
. Apply  iFix  JR61123

For IBM BPM V8.5.0.0 through V8.5.0.2
. Install Fix Pack 2 as required by iFix and then apply iFix JR61123

For IBM BPM V8.0.0.0 through V8.0.1.3
. Upgrade to minimal  Refresh Pack 1, install  Fix Pack 3 as required by iFix
and then apply iFix  JR61123

As IBM Business Process Manager V8.0 is out of general support, customers with
a support extension contract can contact IBM support to request the fix.

Workarounds and Mitigations

None

Change History

02 Aug 2019: initial version published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

                         Cross reference information
  Product   Component  Platform                 Version                Edition
    IBM
 Business             Platform    8.6.0.CF201803, 8.6.0.CF201712, 8.6
  Process             Independent
  Manager
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business             Platform    8.5.7.CF201612, 8.5.7.CF201609,
  Process             Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager                         8.5.6.1, 8.5.6
 Advanced
    IBM                           8.6.0.CF201803, 8.6.0.CF201712, 8.6,
 Business             Platform    8.5.7.CF201706, 8.5.7.CF201703,
  Process             Independent 8.5.7.CF201612, 8.5.7.CF201609,
  Manager                         8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Express                         8.5.6.1, 8.5.6
    IBM                           8.5.7.CF201706, 8.5.7.CF201703,
 Business             Platform    8.5.7.CF201612, 8.5.7.CF201609,
  Process             Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2,
  Manager                         8.5.6.1, 8.5.6
 Standard

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXUe74maOgq3Tt24GAQiXuBAAm5iR3ey6Xsy5RsfccJaxvEh7GG/aArGu
hQL+SYKNMA/06U8noHEDEC2EWdYY5z3Ycz5H8kZlCjmVL9WLczIeJfn9ehhiMEeA
DhQ/KGFRUCYfE6CuIedU0aMjTlYPsmmtN2u+dFe7kFUbywya9VeFIXqAbMwDSBYL
Jil+StkIJa1Vv5fVqVa2sfs/ecDK/dKe9AYMnXEt09qb/GGGMNspFzJ98yYJqhL4
goNttySLFNBKRo+LhpUAgrmyW3NNHDKtCRTrUcYosK6CQIlsJVD90HY/zI2L/47q
47kMwiWiCQqPswwzSwUkGGvW414MbGYwUOtULPEk7xD4OlXreRaVNPt7DpWmrsgC
mpywPKDHEfmgU2CQ7cTtTd72iCc5qkqUFyOzS87gV/KAduDPbYcMiXvFrq/E0Pyh
VggcwobaTlGgQ3GbNDCPKHFKrjXX2ngjStKStHEUFAhNstl/BpxTxgHCEtrf47TY
yXP/n9Ph/ZU2kzANrHqUq3B9UBiIXGypMVdv96xhKv3Nw4qRZuCLWriEoZGPEn13
PC1E/o2DeGMrTuJ4a/44fGCvsCGXPtFaOd2P55lhZTs5kBMqJt5WTRq4IqRnoblm
PMrv4e6pkVMs1PPEQXN0IF/QMtKSTatulwXMT5yrzb51/Qg/0B1xBDHcj5mYro+n
O/Nq7e+2xBo=
=rMdO
-----END PGP SIGNATURE-----