Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2021-22918 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuv's uv__idna_toascii() function. By invoking the function using dns module's lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204784 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVEID: CVE-2021-22921 DESCRIPTION: Node.js could allow a local attacker to gain elevated privileges on the system, caused by improper configuration of permissions in the installation directory. Under certain conditions. An attacker could exploit this vulnerability to perform PATH and DLL hijacking attacks. CVSS Base score: 7.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204785 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2021-22939 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207233 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2021-22931 DESCRIPTION: Node.js could provide weaker than expected security, caused by missing input validation on hostnames returned by DNS servers. An attacker could exploit this vulnerability to cause output of wrong hostnames leading to Domain Hijacking and and injection vulnerabilities in applications using the library. CVSS Base score: 5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207230 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) CVEID: CVE-2021-22940 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for CVE-2021-22930 related to a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207520 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVEID: CVE-2021-22930 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206473 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Local fix
Use a text editor to modify the BPMConfig properties files. For more information, see "Configuration properties for the BPMConfig command" (https://www.ibm.com/docs/en/baw/20.x?topic=utility-configuratio n-properties-bpmconfig-command).
Problem summary
No additional information is available.
Problem conclusion
A fix that updates the version of Node.js that is used in the Configuration editor will be available in a future release of Business Automation Workflow.
Temporary fix
Comments
APAR Information
APAR number
JR64015
Reported component name
CLOUD PAK FOR A
Reported component ID
5737I2300
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-08-03
Closed date
2021-09-26
Last modified date
2021-09-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
CLOUD PAK FOR A
Fixed component ID
5737I2300
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"L00","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 March 2022