Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885)

Summary

A vulnerability in IBM Business Space can allow an attacker to cause an external service invocation.

Vulnerability Details

CVEID: CVE-2018-1885
DESCRIPTION: IBM Business Space could allow an unauthenticated attacker to obtain sensitve information using a specially cracted HTTP request.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152020&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager Enterprise Service Bus V8.6

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- WebSphere Enterprise Service Bus V7.0.0.0 through V7.5.1.2

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60524 as soon as practical:

• IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03)
• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
· Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix JR60524
--OR–
· Apply cumulative fix Business Automation Workflow V19.0.0.1

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to at least IBM BPM 8.6.0.0 CF 2018.03 as required by iFix and then apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply C F2 and then apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.5.0
· Apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60524
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For products in extended support:

• IBM Business Process Manager V7.5.0.0 through V8.0.1.3

· Migrate to Business Automation Workflow V19.0.0.1

• IBM Websphere Enterprise Service Bus V7.0 through V7.5.1.2

· Migrate to IBM Business Process Manager Enterprise Service Bus V8.6

--OR–

· Contact IBM support to obtain and then apply iFix JR60524

Workarounds and Mitigations

None