Lucene search

IBME23F7B0954D8804CF73BA94A1EC50BB525067CF5C982BEE6402F9DE045B28EF2

HistoryApr 28, 2022 - 5:02 p.m.

Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2022-0155, CVE-2022-0536, CVE-2021-3749

2022-04-2817:02:02

www.ibm.com

ibm business automation workflow

ibm business process manager

information disclosure

vulnerability

cve-2022-0155

cve-2022-0536

cve-2021-3749

denial of service

remote attacker

authorization header

interim fix

cumulative fix

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.019

Percentile

88.7%

JSON

Summary

IBM Business Process Manager and IBM Business Automation Workflow are vulnerable to an information disclosure attack.

Vulnerability Details

CVEID:CVE-2021-3749
**DESCRIPTION:**axios is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the trim function. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause an application to consume an excessive amount of CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208438 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-0155
**DESCRIPTION:**follow-redirects could allow a remote attacker to obtain sensitive information, caused by an unauthorized actor. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to obtain private personal information and use this information to launch further attacks against the affected system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-0536
**DESCRIPTION:**Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by a leakage of the Authorization header from the same hostname during HTTPS to HTTP redirection. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain Authorization header information, and use this information to launch further attacks against the affected system.
CVSS Base score: 2.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219551 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)	Status
IBM Business Automation Workflow traditional	V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.0 - V18.0.0.1	affected
IBM Business Automation Workflow containers	V21.0.1 - V21.0.3
V20.0.0.1 - V20.0.0.2	affected
IBM Business Process Manager	V8.6.0.0 - V8.6.0.201803	affected
IBM Business Process Manager	V8.5.0.0 - V8.5.0.201706	not affected

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR64327 as soon as practical. Note that the fix for 21.0.3 was published as a different APAR ID: JR64661.

Affected Product(s)	Version(s)	Remediation / Fix
IBM Business Automation Workflow traditional	V21.0.3	Apply JR64661
IBM Business Automation Workflow containers	V21.0.3	Apply IBM Business Automation Workflow containers 21.0.3-IF007 or later.
IBM Business Automation Workflow traditional	V21.0.2	Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow containers	V21.0.2	Apply IBM Business Automation Workflow containers 21.0.2-IF009 or later or upgrade to IBM Business Automation Workflow containers 21.0.3-IF007 or later
IBM Business Automation Workflow traditional	V20.0.0.2	Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional	V20.0.0.1	Upgrade to IBM Business Automation Workflow v20.0.0.2 and apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow containers	V20.0.0.1
V20.0.0.2	Upgrade to IBM Business Automation Workflow containers 21.0.3-IF007 or later
IBM Business Automation Workflow traditional	V19.0.0.3	Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional	V19.0.0.2
V19.0.0.1
V18.0.0.2
V18.0.0.1	Upgrade to IBM Business Automation Workflow 19.0.0.3 and apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Automation Workflow traditional	V18.0.0.0	Apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3
IBM Business Process Manager	V8.6.0.0 - V8.6.0.201803	Upgrade to IBM Business Process Manager Version 8.6 Cumulative Fix 2018.03 and apply JR64327 or upgrade to IBM Business Automation Workflow 21.0.3

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch18.0.0.0

ibmbusiness_automation_workflowMatch18.0.0.1

ibmbusiness_automation_workflowMatch18.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.1

ibmbusiness_automation_workflowMatch19.0.0.2

ibmbusiness_automation_workflowMatch19.0.0.3

ibmbusiness_automation_workflowMatch20.0.0.1

ibmbusiness_automation_workflowMatch20.0.0.2

ibmbusiness_automation_workflowMatch21.0.2

ibmbusiness_automation_workflowMatch21.0.3

VendorProductVersionCPE
ibmbusiness_automation_workflow18.0.0.0cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.1cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow18.0.0.2cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.1cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.2cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow19.0.0.3cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.1cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:*:*:*:*:*:*:*
ibmbusiness_automation_workflow20.0.0.2cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.2cpe:2.3:a:ibm:business_automation_workflow:21.0.2:*:*:*:*:*:*:*
ibmbusiness_automation_workflow21.0.3cpe:2.3:a:ibm:business_automation_workflow:21.0.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	business_automation_workflow	18.0.0.0	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.0:::::::*
ibm	business_automation_workflow	18.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.1:::::::*
ibm	business_automation_workflow	18.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:18.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.1:::::::*
ibm	business_automation_workflow	19.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.2:::::::*
ibm	business_automation_workflow	19.0.0.3	cpe:2.3:a:ibm:business_automation_workflow:19.0.0.3:::::::*
ibm	business_automation_workflow	20.0.0.1	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.1:::::::*
ibm	business_automation_workflow	20.0.0.2	cpe:2.3:a:ibm:business_automation_workflow:20.0.0.2:::::::*
ibm	business_automation_workflow	21.0.2	cpe:2.3:a:ibm:business_automation_workflow:21.0.2:::::::*
ibm	business_automation_workflow	21.0.3	cpe:2.3:a:ibm:business_automation_workflow:21.0.3:::::::*