-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4682
 Security Bulletin: A cross site scripting security vulnerability has been
          identified with Case Builder component shipped with IBM
               Business Automation Workflow (CVE-2019-4426)
                             16 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Automation Workflow
Publisher:         IBM
Operating System:  Linux variants
                   AIX
Impact/Access:     Cross-site Request Forgery -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4426  

Original Bulletin: 
   https://www.ibm.com/support/pages/node/1135552

- --------------------------BEGIN INCLUDED TEXT--------------------

A cross site scripting security vulnerability has been identified with Case
Builder component shipped with IBM Business Automation Workflow (CVE-2019-4426)

Security Bulletin

Summary

Case Builder component shipped with IBM Business Automation Workflow is
vulnerable to cross-site scripting. This vulnerability allows users to embed
arbitrary JavaScript code in the Web UI thus altering the intended
functionality potentially leading to credentials disclosure within a trusted
session.

Vulnerability Details

CVEID: CVE-2019-4426
DESCRIPTION: Case Builder component shipped with IBM Business Automation
Workflow and IBM Case Manager is vulnerable to cross-site scripting. This
vulnerability allows users to embed arbitrary JavaScript code in the Web UI
thus altering the intended functionality potentially leading to credentials
disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162772 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

+--------------------------------+----------+
|Affected Product(s)             |Version(s)|
+--------------------------------+----------+
|IBM Business Automation Workflow|18.0      |
|                                |19.0      |
+--------------------------------+----------+

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix
(CF) containing APAR PJ45724 as soon as practical:

   IBM Business Automation Workflow

For IBM Business Automation Workflow V18.0.0.0 through V19.0.0.2

. Upgrade toat least IBM Business Automation Workflow V18.0.0.1as required by
iFix and then apply iFix PJ45724
- --OR--
. Apply cumulative fix Business Automation Workflow V19.0.0.3 (planned for end
of Q4 2019)

Workarounds and Mitigations

- - There are preventative methods for cross-site scripting vulnerabilities. The
following are just a few.
a) Use HTTPOnly flag in the application server
b) Use additional HTTP headers for added security

Get Notified about Future Security Bulletins

References

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfbhLmaOgq3Tt24GAQh1Zw/9HXCVGqSQXrw7793IseUmYeNHTGBGQbl9
N9dpWrSn/qBt2ltBvwboMbVhQ+PCyyPxBMJSbuxIrueJCdGgLGWnElRd4kTc4zoy
ddwJCJQilJGZEFVibs3gL4LBIs5oZKIZiG9chEk3gV/C/MxToV7ASV9RbykGoijV
rEw8DI/qJvgskdc8dWNua3GGbMXQE8twj2HoU4rR2lr2SZogAjT7sDgWzQ5damBv
rt9zBBcioW2xva0fVTaM5gMFS/03AlOIOlz26rJyd9FSc5tiY2qaZtsHXJAKiV+K
ZBOtyQEtbBqcqPTRsH8ZDMeslR/0u6cF/4O6kqp7ReTD/W3FTkrlUXxD9aMMNwxY
7JhK05+fO4ufyf6Y/JSWaj45cFy4TwvzZmcT+EYGiVQkF/fQvVBAKeWcfEREN+Ng
IH8qOixaBkp9CGioaEnyuHrSGoZ9lnHezRnMFyf3cnKNnblvMDHn2tVAGA5HMyVy
PBGbLcFozKfbM67WyF7U/roJjB4MgEfovroQJq6GBD0z8pgPVoxjBOr6vnS3Gk/x
oVZzlzNq7FIdlnauTQxUx31SH9F8l1aN51eTMkUIfoxlKJaxR0EzAyEQm8qdkzBN
bwGUKuiDcxZ7ujsAb1LBJdmUbc+kCwqZSL6VjnRKp+qgROzddas72NaGSC5ueKhq
7V1iG/T13KE=
=OPZq
-----END PGP SIGNATURE-----