Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1161 multiple vulnerabilities discovered in IBM Business Automation 5 April 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Business Automation Publisher: IBM Operating System: AIX UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Existing Account Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2019-4080 CVE-2019-4046 CVE-2019-4045 CVE-2019-4030 CVE-2018-11212 CVE-2018-10237 CVE-2018-2000 CVE-2018-1999 CVE-2018-1997 CVE-2018-1996 CVE-2018-1902 CVE-2018-1885 Reference: ASB-2018.0219 ESB-2019.1158 ESB-2019.1098.3 ESB-2019.1083.2 ESB-2019.1067 ESB-2019.1059 ESB-2019.1056 ESB-2019.1055 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10794831 http://www.ibm.com/support/docview.wss?uid=ibm10870494 http://www.ibm.com/support/docview.wss?uid=ibm10870496 http://www.ibm.com/support/docview.wss?uid=ibm10870502 http://www.ibm.com/support/docview.wss?uid=ibm10870760 http://www.ibm.com/support/docview.wss?uid=ibm10872352 http://www.ibm.com/support/docview.wss?uid=ibm10875276 http://www.ibm.com/support/docview.wss?uid=ibm10875432 http://www.ibm.com/support/docview.wss?uid=ibm10875436 http://www.ibm.com/support/docview.wss?uid=ibm10878106 http://www.ibm.com/support/docview.wss?uid=ibm10878446 http://www.ibm.com/support/docview.wss?uid=ibm10878663 Comment: This bulletin contains twelve (12) advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Denial of service vulnerability in IBM Business Automation Workflow (CVE-2018-1997) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Operating system(s): AIX, Linux, Windows Reference #: 0794831 Modified date: 04 April 2019 Summary A denial of service vulnerability has been found in IBM Business Automation Workflow. Vulnerability Details CVEID: CVE-2018-1997 DESCRIPTION: IBM Business Automation Workflow and Business Process Manager are vulnerable to a denial of service attack. An authenticated attacker might send a specially crafted request that exhausts server-side memory. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /154774 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager Advanced V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager Advanced V8.5.6.0 through V8.5.6.0 Cumulative Fix 2 - -IBM Business Process Manager Advanced V8.5.5.0 Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60499 as soon as practical: o IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03) o IBM Business Process Manager o IBM Business Process Manager Advanced o IBM Business Process Manager Standard o IBM Business Process Manager Express For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60499 Note that Business Automation Workflow 18.0.0.0 is a software bundle that includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix for IBM Business Automation Workflow 18.0.0.0, download the fix labeled "8.6.0.201803-WS-BPM-IFJR60499". - --OR-- . Apply cumulative fix Business Automation Workflow V19.0.0.1 For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60499 Note that Business Automation Workflow 18.0.0.0 is a software bundle that includes IBM Business Process Manager V8.6.0.0 CF 2018.03. To download the fix for IBM Business Process Manager V8.6.0.0 CF 2018.03, download the fix labeled "8.6.0.201803-WS-BPM-IFJR60499". - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 . Apply Cumulative Fix 2017.06 and then apply iFix JR60499 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2 . Apply CF2 and then apply iFix JR60499 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.5. . Apply iFix JR60499 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 Workarounds and Mitigations None Change History 4 April 2019: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM AIX, Business Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Windows Manager IBM AIX, 8.5.7.CF201706, 8.5.7.CF201703, Business Linux, 8.5.7.CF201612, 8.5.7.CF201609, Process Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Windows, z 8.5.6.1, 8.5.6, 8.5.5 Advanced /OS IBM AIX, 8.5.7.CF201706, 8.5.7.CF201703, Business Linux, 8.5.7.CF201612, 8.5.7.CF201609, Process Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Windows 8.5.6.1, 8.5.6, 8.5.5 Standard IBM 8.6.0.CF201803, 8.6.0.CF201712, 8.6, Business Linux, 8.5.7.CF201706, 8.5.7.CF201703, Process Windows 8.5.7.CF201612, 8.5.7.CF201609, Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2, Express 8.5.6.1, 8.5.6, 8.5.5 ================================================================================ Security Bulletin: Spoofing vulnerability in IBM Business Automation Workflow (CVE-2019-4045) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Operating system(s): Platform Independent Reference #: 0870494 Modified date: 04 April 2019 Summary A Spoofing vulnerability has been found in IBM Business Automation Workflow. Vulnerability Details CVEID: CVE-2019-4045 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager provide embedded document management features. Because of a missing restriction in an API, a client might spoof the last modified by value of a document. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /156241 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60556 as soon as practical: o IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03) o IBM Business Process Manager Advanced o IBM Business Process Manager Standard o IBM Business Process Manager Express For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556 - --OR-- . Apply cumulative fix Business Automation Workflow V19.0.0.1 For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60556 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 . Apply Cumulative Fix 2017.06 and then apply iFix JR60556 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2 . Apply C F2 and then apply iFix JR60556 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.5.0 . Apply iFix JR60556 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.0.0 through V8.5.0.2 . Apply iFix JR60556 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 Workarounds and Mitigations None Change History 4 April 2019: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business Platform 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Independent Manager IBM 8.5.7.CF201706, 8.5.7.CF201703, Business Platform 8.5.7.CF201612, 8.5.7.CF201609, Process Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Advanced 8.5.0.1, 8.5 IBM 8.6.0.CF201803, 8.6.0.CF201712, 8.6, Business 8.5.7.CF201706, 8.5.7.CF201703, Process Platform 8.5.7.CF201612, 8.5.7.CF201609, Manager Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2, Express 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5 IBM 8.5.7.CF201706, 8.5.7.CF201703, Business Platform 8.5.7.CF201612, 8.5.7.CF201609, Process Independent 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Standard 8.5.0.1, 8.5 ================================================================================ Security Bulletin: Cross-site request forgery vulnerability in IBM Business Automation Workflow (CVE-2018-2000) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1 Reference #: 0870496 Modified date: 04 April 2019 Summary A Cross-site request forgery vulnerability has been found in IBM Business Automation Workflow. Vulnerability Details CVEID: CVE-2018-2000 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /154890 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1 - - IBM Business Process Manager V8.6.0.0 Cumulative Fix 2017.12 through V8.6.0.0 Cumulative Fix 2018.03 Note: A fix for IBM Business Automation Workflow V18.0.0.2 is available even though IBM Business Automation Workflow V18.0.0.2 is not vulnerable to this security issue. The intention of this interim fix is to prevent the following unnecessary warning message in IBM Installation Manager, which you see when you upgrade IBM Business Automation Workflow: "One or more fixes will be uninstalled when IBM(R) Business Automation Workflow is updated to V18.0.0.2. The update does not address issues that were resolved previously by the maintenance packages. The problems might return if fixes for the the following issues are not reapplied or have new fixes applied to prevent the problems from returning. - - JR60539 in the package IBM(R) Business Automation Workflow ..." Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60539 as soon as practical: o IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03) o IBM Business Process Manager o IBM Business Process Manager Express For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60539 - --OR-- . Apply cumulative fix Business Automation Workflow V18.0.0.2 For IBM Business Process Manager V8.6.0.0 CF 2017.12 through V8.6.0.0 CF 2018.03 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60539 - --OR-- . Upgrade to Business Automation Workflow V18.0.0.2 Workarounds and Mitigations None Change History 4 April 2019: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business Process 8.6.0.CF201803, Manager 8.6.0.CF201712 IBM Business Process 8.6.0.CF201803, Manager Express 8.6.0.CF201712 ================================================================================ Security Bulletin: Information leakage in IBM Business Automation Workflow (CVE-2018-1999) Document information More support for: IBM Business Automation Workflow Component: Not Applicable Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Reference #: 0870502 Modified date: 04 April 2019 Summary An information leakage vulnerability in IBM Business Automation Workflow has been found. Vulnerability Details CVEID: CVE-2018-1999 DESCRIPTION: IBM Business Process Manager could reveal sensitive version information about the server from error pages that could aid an attacker in further attacks against the system. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /154889 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60566 as soon as practical: o IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03) o IBM Business Process Manager Advanced o IBM Business Process Manager Standard o IBM Business Process Manager Express For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60566 - --OR-- . Apply cumulative fix Business Automation Workflow V19.0.0.1 For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03 . Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR60566 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 . Apply Cumulative Fix 2017.06 and then apply iFix JR60566 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2 . Apply C F2 and then apply iFix JR60566 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.5.0 . Apply iFix JR60566 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.0.0 through V8.5.0.2 . Apply iFix JR60566 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For products in extended support: o IBM Business Process Manager V8.0.0.0 through V8.0.1.3 . Migrate to Business Automation Workflow V19.0.0.1 - --OR-- . Contact IBM support to obtain and then apply iFix JR60566 Workarounds and Mitigations None Change History 4 April 2019: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Manager IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, Manager 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5, Advanced 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0 IBM 8.6.0.CF201803, 8.6.0.CF201712, 8.6, Business 8.5.7.CF201706, 8.5.7.CF201703, Process 8.5.7.CF201612, 8.5.7.CF201609, Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, Express 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0 IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process 8.5.7.CF201606, 8.5.7, 8.5.6.2, 8.5.6.1, Manager 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5, Standard 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0 ================================================================================ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2018-10237) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Reference #: 0870760 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, and IBM Business Process Manager. WebSphere Application Server Liberty is shipped as a component of the optional BPM component Process Federation Server and User Management Service. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published in a security bulletin. Vulnerability Details Please consult the security bulletin: Potential denial of service in WebSphere Application Server (CVE-2018-10237) for vulnerability details and information about fixes. Affected Products and Versions - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 Change History 4 April 2019: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business Process 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM Business 8.5.7.CF201706, 8.5.7.CF201703, Process 8.5.7.CF201612, 8.5.7.CF201609, Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2, Express 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5 IBM Business 8.5.7.CF201706, 8.5.7.CF201703, Process 8.5.7.CF201612, 8.5.7.CF201609, Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2, Standard 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5 IBM Business 8.6, 8.5.7.CF201706, 8.5.7.CF201703, Process 8.5.7.CF201612, 8.5.7.CF201609, Manager 8.5.7.CF201606, 8.5.7, 8.5.6.2, Advanced 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5 IBM Business Process Manager 8.6.0.0 Enterprise Service Bus ================================================================================ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2018-1996) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Operating system(s): AIX, Linux, Windows Reference #: 0872352 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, WebSphere Process Server, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Please consult the security bulletin: Weaker than expected security in WebSphere Application Server with SP800-131 transition mode (CVE-2018-1996) for vulnerability details and information about fixes. Affected Products and Versions - - WebSphere Process Server V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases) - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 Change History 4 April 2019: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Windows Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.5.7.CF201706, 8.5.7.CF201703, IBM 8.5.7.CF201612, 8.5.7.CF201609, Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6, 8.5.7.CF201706, 8.5.7.CF201703, IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609, Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2, Edition 7.1.0.1, 7.1, 7.0.1 AIX, HP-UX, WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3, Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0 Windows, z/ OS IBM Business Process Platform 8.6.0.0 Manager Independent Enterprise Service Bus WebSphere Enterprise Platform Service Bus Independent Version Independent Registry Edition ================================================================================ Security Bulletin: Multiple vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (Java CPU January 2019) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1 Operating system(s): AIX, Linux, Windows Reference #: 0875276 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server Liberty is shipped as a component of the optional BPM component Process Federation Server and User Management Service. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published in a security bulletin. Vulnerability Details Please consult the security bulletin Multiple Vulnerabilities in IBM(R) Java SDK affect WebSphere Application Server January 2019 CPU for vulnerability details and information about fixes. Additionally, IBM Business Automation Workflow, IBM Business Process Manager, and WebSphere Lombardi Edition might be affected by the following vulnerability: CVEID: CVE-2018-11212 DESCRIPTION: libjpeg is vulnerable to a denial of service, caused by divide-by-zero error in the alloc_sarray function in jmemmgr.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base Score: 3.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 143429 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases) Note that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Change History 4 April 2019: original document published 17 September 2018: added list of affected products *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Windows Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.5.7.CF201706, 8.5.7.CF201703, IBM 8.5.7.CF201612, 8.5.7.CF201609, Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6, 8.5.7.CF201706, 8.5.7.CF201703, IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609, Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2, Edition 7.1.0.1, 7.1, 7.0.1 AIX, HP-UX, WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3, Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0 Windows, z/ OS IBM Business Process Platform 8.6.0.0 Manager Independent Enterprise Service Bus WebSphere Enterprise Platform Service Bus Independent Version Independent Registry Edition ================================================================================ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2019-4030) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Reference #: 0875432 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, and IBM Business Process Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Please consult the security bulletin: Cross-site scripting vulnerability in WebSphere Application Server Admin Console (CVE-2019-4030) for vulnerability details and information about fixes. Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases Note that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Change History 4 April 2019: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Standard 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Advanced 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 IBM Business Process 8.6.0.0 Manager Enterprise Service Bus WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2, Edition 7.1.0.1, 7.1, 7.0.1 WebSphere Platform 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, Enterprise Independent 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3, Service Bus 7.0.0.2, 7.0.0.1, 7.0 WebSphere Enterprise Platform Service Bus Independent Version Independent Registry Edition ================================================================================ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2018-1902) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Operating system(s): AIX, Linux, Windows Reference #: 0875436 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server Liberty is shipped as a component of the optional BPM component Process Federation Server and User Management Service. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published in a security bulletin. Vulnerability Details Please consult the security bulletin: Potential Spoofing vulnerability in WebSphere Application Server (CVE-2018-1902) for vulnerability details and information about fixes. Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases Note that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Change History 4 April 2019: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Windows Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.5.7.CF201706, 8.5.7.CF201703, IBM 8.5.7.CF201612, 8.5.7.CF201609, Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6, 8.5.7.CF201706, 8.5.7.CF201703, IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609, Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2, Edition 7.1.0.1, 7.1, 7.0.1 AIX, HP-UX, WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3, Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0 Windows, z/ OS IBM Business Process Platform 8.6.0.0 Manager Independent Enterprise Service Bus WebSphere Enterprise Platform Service Bus Independent Version Independent Registry Edition ================================================================================ Security Bulletin: External Service invocation in IBM Business Space affects IBM Business Automation Workflow and IBM Business Process Manager family products (CVE-2018-1885) Document information More support for: IBM Business Automation Workflow Component: Not Applicable Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2 Reference #: 0878106 Modified date: 04 April 2019 Summary A vulnerability in IBM Business Space can allow an attacker to cause an external service invocation. Vulnerability Details CVEID: CVE-2018-1885 DESCRIPTION: IBM Business Space could allow an unauthenticated attacker to obtain sensitve information using a specially cracted HTTP request. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities /152020 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager Enterprise Service Bus V8.6 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 Cumulative Fix 2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.5.1.2 Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR60524 as soon as practical: o IBM Business Automation Workflow (including fix for IBM Business Process Manager V8.6.0.0 2018.03) o IBM Business Process Manager Advanced o IBM Business Process Manager Standard o IBM Business Process Manager Express For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.2 . Upgrade to at least IBM Business Automation Workflow V18.0.0.1 as required by iFix and then apply iFix JR60524 - --OR-- . Apply cumulative fix Business Automation Workflow V19.0.0.1 For IBM Business Process Manager V8.6.0.0 through V8.6.0.0 CF 2018.03 . Upgrade to at least IBM BPM 8.6.0.0 CF 2018.03 as required by iFix and then apply iFix JR60524 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 . Apply Cumulative Fix 2017.06 and then apply iFix JR60524 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.6.0 through V8.5.6.0 CF 2 . Apply C F2 and then apply iFix JR60524 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.5.0 . Apply iFix JR60524 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For IBM BPM V8.5.0.0 through V8.5.0.2 . Apply iFix JR60524 - --OR-- . Upgrade to Business Automation Workflow V19.0.0.1 For products in extended support: o IBM Business Process Manager V7.5.0.0 through V8.0.1.3 . Migrate to Business Automation Workflow V19.0.0.1 o IBM Websphere Enterprise Service Bus V7.0 through V7.5.1.2 . Migrate to IBM Business Process Manager Enterprise Service Bus V8.6 - --OR-- . Contact IBM support to obtain and then apply iFix JR60524 Workarounds and Mitigations None Change History 4 April 2019: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business Process 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Manager 8.5.7.CF201706, 8.5.7.CF201703, IBM Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Advanced 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0 8.5.7.CF201706, 8.5.7.CF201703, IBM Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0 8.5.7.CF201706, 8.5.7.CF201703, IBM Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Standard 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1.0, 7.5.0.1, 7.5.0.0 IBM Business Process Platform Manager Independent 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Enterprise Service Bus ================================================================================ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2019-4046) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1 Operating system(s): AIX, Linux, Windows Reference #: 0878446 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, IBM Business Process Manager, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server Liberty is shipped as a component of the optional BPM component Process Federation Server and User Management Service. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published in a security bulletin. Vulnerability Details Please consult the security bulletin: Potential denial of service vulnerability in WebSphere Application Server (CVE-2019-4046) for vulnerability details and information about fixes. Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1 - - IBM Business Process Manager Enterprise Service Bus V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases Note that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Change History 4 April 2019: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business AIX, Linux, 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Windows Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Windows 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.5.7.CF201706, 8.5.7.CF201703, IBM 8.5.7.CF201612, 8.5.7.CF201609, Business AIX, Linux, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Solaris, 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager Windows 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Standard 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6, 8.5.7.CF201706, 8.5.7.CF201703, IBM AIX, Linux, 8.5.7.CF201612, 8.5.7.CF201609, Business Solaris, 8.5.7.CF201606, 8.5.7, 8.5.6.2, Process Windows, z/ 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Manager OS 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, Advanced 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2, Edition 7.1.0.1, 7.1, 7.0.1 AIX, HP-UX, WebSphere IBM i, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, Enterprise Linux, 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3, Service Bus Solaris, 7.0.0.2, 7.0.0.1, 7.0 Windows, z/ OS IBM Business Process Platform 8.6.0.0 Manager Independent Enterprise Service Bus WebSphere Enterprise Platform Service Bus Independent Version Independent Registry Edition ================================================================================ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Digital Business Automation Workflow family products (CVE-2019-4080) Document information More support for: IBM Business Automation Workflow Software version: 18.0.0.0, 18.0.0.1, 18.0.0.2, 19.0.0.1 Operating system(s): Platform Independent Reference #: 0878663 Modified date: 04 April 2019 Summary WebSphere Application Server is shipped as a component of IBM Business Automation Workflow, and IBM Business Process Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Please consult the security bulletin: Potential denial of service in WebSphere Application Server Admin Console (CVE-2019-4080) for vulnerability details and information about fixes. Affected Products and Versions - - IBM Business Automation Workflow V18.0.0.0 through V19.0.0.1 - - IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2018.03 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases) Note that Cumulative Fixes cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. Change History 4 April 2019: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Product Component Platform Version Edition IBM Business 8.6.0.CF201803, 8.6.0.CF201712, 8.6 Process Manager 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Express 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Standard 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 8.6.0.CF201803, 8.6.0.CF201712, 8.6, IBM 8.5.7.CF201706, 8.5.7.CF201703, Business 8.5.7.CF201612, 8.5.7.CF201609, Process Platform 8.5.7.CF201606, 8.5.7, 8.5.6.2, Manager Independent 8.5.6.1, 8.5.6, 8.5.5, 8.5.0.2, Advanced 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 IBM Business Process 8.6.0.0 Manager Enterprise Service Bus WebSphere Platform 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, Lombardi Independent 7.2.0.1, 7.2, 7.1.0.3, 7.1.0.2, Edition 7.1.0.1, 7.1, 7.0.1 WebSphere Platform 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, Enterprise Independent 7.5, 7.0.0.5, 7.0.0.4, 7.0.0.3, Service Bus 7.0.0.2, 7.0.0.1, 7.0 WebSphere Enterprise Platform Service Bus Independent Version Independent Registry Edition - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXKbjfGaOgq3Tt24GAQgtzw/+OKJ/HPGZtRDjH3h5ZRM79LRV9GMaHSIv EWUHOIRruLx26gpmYvjIwW+SuNb6/z3QN2UL+5iIcbuu4SRNM+G4oaIwrfu3qVM4 oCQtkpAlESZ81Z05qlCk+OpTHU2Tf0Sj0Gmvb10w5ZHYZKLdyH1b4WTWYWG7Kc1x 6/Q4S3S3pjJ5IyxOxG0NdGEPeNqkImcy4EUPlSjfzWCrIRzb8SfGiqDwaqlAAMMK IdGMAbp59kNM0iok2rLxhocsteCVtGTUt9WXUSFjsI/cc3VrLNWKo0kMMe3dAIyN q3laSv9Yg1/5YkCgs29rKRBbkM+AHfkEEJrv8fhBmG1rjUXD1cTQwSIxEFyZ4iTS 4VS4HCv2MPwG70vqTezZhPdY+Vn/vLf4ZLn/VoJGC32T46Vv6sz6qxBTKXtR0Lzv 83XCM3hliUjvCl6BZuN8Rn0y2od9u34+ru4yNX9qC6OMzYDfEKjwVSKbHNJSU3vX nVMpXE4Hhsw5C1vbRsXukzFs3VgvQjIr6fwEWSU3q2YVIpfQDuY73s+6fKJbPebF PpFRhoKfhQ2FKFw4ai/0z0jhmdqPj2rEsIhxYD/FbPHot4K0yjgPm959p6AVPqPA 9YgZtma7hRoW87exIep+MxLrLcJkRH9P0LqdYqgvk7gudGFJ8Ua5Jz0N314FDjoU a8mO7irzK0E= =vKli -----END PGP SIGNATURE-----