Lucene search

IBM75566DE84831516D3C100EC4DD4B18E8B7BD12D0CE1260E3AE917EB0B36A104A

HistoryMay 27, 2022 - 6:43 a.m.

Security Bulletin: Cross-Site Request Forgery vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2022-22361

2022-05-2706:43:34

www.ibm.com

ibm business automation workflow

ibm business process manager

cross-site request forgery

vulnerability

cve-2022-22361

interim fix

cumulative fix

remediation

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

20.0%

JSON

Summary

Process Admin Console in IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to a Cross-Site Request Forgery attack.

Vulnerability Details

CVEID:CVE-2022-22361
**DESCRIPTION:**IBM Business Automation Workflow is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)	Status
IBM Business Automation Workflow traditional	V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.0 - V18.0.0.1	affected
IBM Business Automation Workflow containers	V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2	affected
IBM Business Process Manager	V8.6.0.0 - V8.6.0.201803
V8.5.0.0 - V8.5.0.201706	affected

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64339 as soon as practical.

Affected Product(s)	Version(s)	Remediation / Fix
IBM Business Automation Workflow traditional	V21.0.3	Apply JR64596.
IBM Business Automation Workflow Containers	V21.0.3	Apply 21.0.3-IF010.
IBM Business Automation Workflow traditional	V21.0.2	Apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596.
IBM Business Automation Workflow Containers	V21.0.2	Apply 21.0.2-IF011 or upgrade to IBM Business Automation Workflow containers 21.0.3
IBM Business Automation Workflow traditional	V20.0.0.2	Apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596.
IBM Business Automation Workflow traditional	V20.0.0.1	Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596.
IBM Business Automation Workflow traditional	V19.0.0.3	Apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional	V19.0.0.2
V19.0.0.1
V18.0.0.2
V18.0.0.1	Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596.
IBM Business Automation Workflow traditional	V18.0.0.0	Apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596.
IBM Business Process Manager	V8.6.0.0 - V8.6.0.201803	Upgrade to IBM Business Process Manager Version 8.6 Cumulative Fix 2018.03 and apply JR64596 or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596 .
IBM Business Process Manager	V8.5.0.0 - V8.5.7.201706	Upgrade to IBM Business Process Manager Version 8.5.7 Cumulative Fix 2017.06 and apply JR64339 for the edition of your product

IBM Business Process Manager Advanced
IBM Business Process Manager Standard
IBM Business Process Manager Express
or upgrade to IBM Business Automation Workflow 21.0.3 and apply JR64596.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_process_managerMatch8.6express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201706express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201703express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201612express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201609express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201606express

ibmbusiness_process_managerMatch8.5.7express

ibmbusiness_process_managerMatch8.5.6.2express

ibmbusiness_process_managerMatch8.5.6.1express

ibmbusiness_process_managerMatch8.5.6express

ibmbusiness_process_managerMatch8.5.5express

ibmbusiness_process_managerMatch8.5.0.2express

ibmbusiness_process_managerMatch8.5.0.1express

ibmbusiness_process_managerMatch8.5express

ibmbusiness_process_managerMatch8.6advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201706advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201703advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201612advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201609advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201606advanced

ibmbusiness_process_managerMatch8.5.7advanced

ibmbusiness_process_managerMatch8.5.6.2advanced

ibmbusiness_process_managerMatch8.5.6.1advanced

ibmbusiness_process_managerMatch8.5.6advanced

ibmbusiness_process_managerMatch8.5.5advanced

ibmbusiness_process_managerMatch8.5.0.2advanced

ibmbusiness_process_managerMatch8.5.0.1advanced

ibmbusiness_process_managerMatch8.5advanced

ibmbusiness_process_managerMatch8.6standard