In addition to many updates of open source packages, the following security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.2-IF009 and 21.0.3-IF007.
CVEID:CVE-2021-29835
**DESCRIPTION:**IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 204833.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204833 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2021-39046
**DESCRIPTION:**IBM Business Automation Workflow 18.0, 19.0, 20.0, and 21.0 and IBM Business Process Manager 8.5 and 8.6 stores user credentials in plain clear text which can be read by a lprivileged user. IBM X-Force ID: 214346.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) | Status |
---|
IBM Cloud Pak for Business Automation
| V21.0.3 - V21.0.3-IF006| affected
IBM Cloud Pak for Business Automation| V21.0.2 - V21.0.2-IF008| affected
IBM Cloud Pak for Business Automation|
V21.0.1 - V21.0.1-IF007
V20.0.1 - V20.0.3
V19.0.1 - V19.0.3
V18.0.0 - V18.0.2
| affected
The recommended solution is to apply the February 2022 security fix as soon as practical.
Affected Product(s) | Version(s) | Remediation / Fix |
---|---|---|
IBM Cloud Pak for Business Automation | V21.0.3 - V21.0.3-IF004 | Apply security fix 21.0.3-IF007 |
IBM Cloud Pak for Business Automation | V21.0.2 - V21.0.2-IF007 | Apply security fix 21.0.2-IF009 or upgrade to 21.0.3-IF007 |
IBM Cloud Pak for Business Automation | V21.0.1 - V21.0.1-IF008 | |
V20.0.1 - V20.0.3 | ||
V19.0.1 - V19.0.3 | ||
V18.0.0 - V18.0.2 | Upgrade to 21.0.2-IF009 or 21.0.3-IF007 |
None