Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3028 XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager 9 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Business Automation Workflow IBM Business Process Manager Publisher: IBM Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-4424 Original Bulletin: https://www.ibm.com/support/docview.wss?uid=ibm10959537 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM Business Process Manager (BPM) (CVE-2019-4424) Document information Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1, 19.0.0.2 Operating system(s): Platform Independent Reference #: 0959537 Modified date: 06 August 2019 Summary An XML External Entity Injection vulnerability in IBM Business Automation Workflow and IBM BPM has been found. Vulnerability Details CVEID: CVE-2019-4424 DESCRIPTION: IBM Business Automation Workflow is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162770 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 Remediation/Fixes Install interim fix JR61232 as appropriate for your current IBM Business Automation Workflow or IBM BPM version. * IBM Business Automation Workflow * IBM Business Process Manager Advanced * IBM Business Process Manager Standard * IBM Business Process Manager Express For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2 - - Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix JR61232 - --OR-- - - Apply cumulative fix IBM Business Automation Workflow V19.0.0.3 For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2018.03 - - Upgrade to at least IBM BPM V8.6.0.0 CF 2017.12 as required by iFix and then apply iFix JR61232 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Apply Cumulative Fix 2017.06 and then apply iFix JR61232 For IBM BPM V8.5.6.0 through V8.5.6.0 CF2 - - Apply CF2 as required by iFix and then apply iFix JR61232 For IBM BPM V8.5.5.0 - - Apply iFix JR61232 For IBM BPM V8.5.0.0 through V8.5.0.2 - - Install Fix Pack 2 as required by iFix and then apply iFix JR61232 For IBM BPM V8.0.0.0 through V8.0.1.3 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR61232 For IBM BPM V7.0.0.0 through V7.5.1.2 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 2 as required by iFix and then apply iFix JR61232 As IBM Business Process Manager V7.5 and V8.0 are out of general support, customers with a support extension contract can contact IBM support to request the fix. Workarounds and Mitigations None Change History 6 August 2019: initial version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXUyq02aOgq3Tt24GAQi2qBAAt0rVan7BcBgu7I28zDKmEajNyLjsX1Ca YjSg0IllYfacuyMTbN1QCYaY8T4r7LjEmZkaDPxhLvqUJo2njTH3IhPIMRV+Lost a/d/wTtiQ55F3sss7Q4/XQpwjxuB9ABP3kyJQ1OaFbDLimHlDHNAzeCMrffO5M7I +ZF//JmFqR9PMS4TYi7685Zs16Kotf9zJjCCZdxMoFDnbccAR6Dx3LlcyTNSdIXp lzwgMGQ4IVtXnMicWmVPtDgoQlQnlhAWBYlgLFh62sVNWEtL1J+ct53vlnq/uvc8 jxQHCznhf0mAdvujfhKZj5OekWX7uBvhCAVV+RgKx4Ncwhc/KyPCwRDGD5jPFwCh 2SUEwQQfVeSWh2pDLdk6eJALLFPOlj6t+pLvwcyGWOrWPtMMIVHr6g65xgSfgJXE W5hxha9641UtgqoN0Oeageq8YbE3rGV/p1Kw40NRjDtSSRB3SZOBUfZLxMJOtLOx GR6cRdhbo416ZRlxF0WB1e3B21DyNEsBeqacPa1pb1FyRj1iPZg0yazv0n7EzRjX DOq64AtB2MYLiMM0FB+kDIocydH1TKy2tGh8L5H10o8PexXnjMKlLx4inSA4YZmo DRn4etZQReDsJ28GZXkgGTQb2yVU+EXTc3IPU5rGq9XNrswjePspVzgvnU8WjWOX XrCGi4G3he8= =Y1AH -----END PGP SIGNATURE-----