Security Bulletin: Multiple vulnerabilities in angular.js may affect IBM Business Automation Workflow ( CVE-2019-14863, CVE-2020-7676, CVE-2019-10768)

Summary

IBM Business Automation Workflow packages a vulnerable version of angular js.

Vulnerability Details

CVEID:CVE-2019-14863
**DESCRIPTION:**Angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173893 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-7676
**DESCRIPTION:**angular.js is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183379 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-10768
**DESCRIPTION:**AngularJS could allow a remote attacker to bypass security restrictions, caused by a prototype pollution flaw in the merge function. By sending a specially-crafted request using a constructor payload, a remote attacker could exploit this vulnerability to add or modify properties of Object.prototype.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172185 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

V22.0.2 all fixes

| not affected
IBM Business Automation Workflow containers|

V22.0.1 all fixes
V21.0.3 - V21.0.3-IFT020
V21.0.2 all fixes
V20.0.0.2 all fixes
V20.0.0.1 all fixes

| affected
IBM Business Automation Workflow traditional| V22.0.2| not affected
IBM Business Automation Workflow traditional| V22.0.1
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3| affected
IBM Business Automation Workflow Enterprise Service Bus| V22.0.2| not affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT213423 as soon as practical.

Apply DT213423
or upgrade to IBM Business Automation Workflow traditional V22.0.2

IBM Business Automation Workflow traditional| V20.0.0.2| Upgrade to IBM Business Automation Workflow traditional V22.0.2
IBM Business Automation Workflow traditional| V22.0.1
V21.0.2
V20.0.0.1
V19.0.0.3| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None