Lucene search

IBMEA188C8CDA535DA47C20D5ED87277CF16E1543CB44FCA24C0BD2F9C559D4FC01

HistorySep 14, 2022 - 3:02 p.m.

Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045)

2022-09-1415:02:20

www.ibm.com

ibm

business automation workflow

spoofing vulnerability

cve-2019-4045

security bulletin

document management

cvss

vulnerabilities

ibm business process manager

cumulative fix

interim fix

apar jr60556

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

19.6%

JSON

Summary

A Spoofing vulnerability has been found in IBM Business Automation Workflow.

Vulnerability Details

CVEID: CVE-2019-4045 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156241> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

- IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60556 as soon as practical:

IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03)
IBM Business Process Manager Advanced
IBM Business Process Manager Standard
IBM Business Process Manager Express

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556
--OR–
· Apply cumulative fix Business Automation Workflow V19.0.0.1

For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2
· Apply C F2 and then apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.5.0
· Apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

For IBM BPM V8.5.0.0 through V8.5.0.2
· Apply iFix JR60556
--OR–
· Upgrade to Business Automation Workflow V19.0.0.1

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmbusiness_automation_workflowMatch18.0.0.0

ibmbusiness_automation_workflowMatch18.0.0.1

ibmbusiness_automation_workflowMatch18.0.0.2

ibmbusiness_process_managerMatch8.6.0.

ibmbusiness_process_managerMatch201803

ibmbusiness_process_managerMatch8.6.0.

ibmbusiness_process_managerMatch201712

ibmbusiness_process_managerMatch8.6

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201706advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201703advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201612advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201609advanced

ibmbusiness_process_managerMatch8.5.7.advanced

ibmbusiness_process_managerMatch201606advanced

ibmbusiness_process_managerMatch8.5.7advanced

ibmbusiness_process_managerMatch8.5.6.2advanced

ibmbusiness_process_managerMatch8.5.6.1advanced

ibmbusiness_process_managerMatch8.5.6advanced

ibmbusiness_process_managerMatch8.5.5advanced

ibmbusiness_process_managerMatch8.5.0.2advanced

ibmbusiness_process_managerMatch8.5.0.1advanced

ibmbusiness_process_managerMatch8.5advanced

ibmbusiness_process_managerMatch8.6.0.express

ibmbusiness_process_managerMatch201803express

ibmbusiness_process_managerMatch8.6.0.express

ibmbusiness_process_managerMatch201712express

ibmbusiness_process_managerMatch8.6express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201706express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201703express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201612express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201609express

ibmbusiness_process_managerMatch8.5.7.express

ibmbusiness_process_managerMatch201606express

ibmbusiness_process_managerMatch8.5.7express

ibmbusiness_process_managerMatch8.5.6.2express

ibmbusiness_process_managerMatch8.5.6.1express

ibmbusiness_process_managerMatch8.5.6express

ibmbusiness_process_managerMatch8.5.5express

ibmbusiness_process_managerMatch8.5.0.2express

ibmbusiness_process_managerMatch8.5.0.1express

ibmbusiness_process_managerMatch8.5express