-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3028
        XML External Entity Injection vulnerability in IBM Business
           Automation Workflow and IBM Business Process Manager
                               9 August 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Automation Workflow
                   IBM Business Process Manager
Publisher:         IBM
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service        -- Existing Account
                   Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4424  

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10959537

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: XML External Entity Injection vulnerability in IBM Business
Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424)

Document information
Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2
Operating system(s): Platform Independent
Reference #: 0959537
Modified date: 06 August 2019

Summary

An XML External Entity Injection vulnerability in IBM Business Automation
Workflow and IBM BPM has been found.

Vulnerability Details

CVEID: CVE-2019-4424
DESCRIPTION: IBM Business Automation Workflow is vulnerable to an XML External
Entity Injection (XXE) attack when processing XML data. A remote attacker could
exploit this vulnerability to expose sensitive information or consume memory
resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

- - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2

- - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- - IBM Business Process Manager V8.5.5.0

- - IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- - IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- - IBM Business Process Manager V7.5.0.0 through V7.5.1.2

Remediation/Fixes

Install interim fix JR61232 as appropriate for your current IBM Business
Automation Workflow or IBM BPM version.

  * IBM Business Automation Workflow
  * IBM Business Process Manager Advanced
  * IBM Business Process Manager Standard
  * IBM Business Process Manager Express


For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2
- - Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by
iFix and then apply iFix JR61232
- --OR--
- - Apply cumulative fix IBM Business Automation Workflow V19.0.0.3

For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03
- - Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFix and then
apply iFix JR61232

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
- - Apply Cumulative Fix 2017.06 and then apply iFix JR61232

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
- - Apply CF2 as required by iFix and then apply iFix JR61232

For IBM BPM V8.5.5.0 
- - Apply  iFix  JR61232

For IBM BPM V8.5.0.0 through V8.5.0.2
- - Install Fix Pack 2 as required by iFix and then apply iFix JR61232

For IBM BPM V8.0.0.0 through V8.0.1.3
- - Upgrade to minimal  Refresh Pack 1, install  Fix Pack 3 as required by iFix
and then apply iFix  JR61232

For IBM BPM V7.0.0.0 through V7.5.1.2
- - Upgrade to minimal  Refresh Pack 1, install  Fix Pack 2 as required by iFix
and then apply iFix  JR61232


As IBM Business Process Manager V7.5 and V8.0 are out of general support,
customers with a support extension contract can contact IBM support to request
the fix.


Workarounds and Mitigations

None

Change History

6 August 2019: initial version published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXUyq02aOgq3Tt24GAQi2qBAAt0rVan7BcBgu7I28zDKmEajNyLjsX1Ca
YjSg0IllYfacuyMTbN1QCYaY8T4r7LjEmZkaDPxhLvqUJo2njTH3IhPIMRV+Lost
a/d/wTtiQ55F3sss7Q4/XQpwjxuB9ABP3kyJQ1OaFbDLimHlDHNAzeCMrffO5M7I
+ZF//JmFqR9PMS4TYi7685Zs16Kotf9zJjCCZdxMoFDnbccAR6Dx3LlcyTNSdIXp
lzwgMGQ4IVtXnMicWmVPtDgoQlQnlhAWBYlgLFh62sVNWEtL1J+ct53vlnq/uvc8
jxQHCznhf0mAdvujfhKZj5OekWX7uBvhCAVV+RgKx4Ncwhc/KyPCwRDGD5jPFwCh
2SUEwQQfVeSWh2pDLdk6eJALLFPOlj6t+pLvwcyGWOrWPtMMIVHr6g65xgSfgJXE
W5hxha9641UtgqoN0Oeageq8YbE3rGV/p1Kw40NRjDtSSRB3SZOBUfZLxMJOtLOx
GR6cRdhbo416ZRlxF0WB1e3B21DyNEsBeqacPa1pb1FyRj1iPZg0yazv0n7EzRjX
DOq64AtB2MYLiMM0FB+kDIocydH1TKy2tGh8L5H10o8PexXnjMKlLx4inSA4YZmo
DRn4etZQReDsJ28GZXkgGTQb2yVU+EXTc3IPU5rGq9XNrswjePspVzgvnU8WjWOX
XrCGi4G3he8=
=Y1AH
-----END PGP SIGNATURE-----