IBM Support

JR61972: SECURITY APAR - MULTIPLE VULNERABILITIES IN IBM SDK FOR NODE.JS MIGHT AFFECT THE IBM BPM CONFIGURATION EDITOR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

workflow.20001.delta.repository
8.6.10019003-WS-BPM-IFJR61972
8.6.10019002-WS-BPM-IFJR61972
8.6.10019001-WS-BPM-IFJR61972
8.6.10018001-WS-BPM-IFJR61972
8.6.0.201803-WS-BPM-IFJR61972
8.5.7.201706-WS-BPM-IFJR61972

 

APAR status

  • Closed as program error.

Error description

  • CVEID:   CVE-2019-15606
DESCRIPTION:   Node.js could allow a remote attacker to bypass
security restrictions, caused by an issue when HTTP header
values do not have trailing OWS trimmed. By sending a
specially-crafted request, an attacker could exploit this
vulnerability to bypass authorization based on header value
comparisons.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/175914 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2019-15604
DESCRIPTION:   Node.js is vulnerable to a denial of service,
caused by improper certificate validation. By sending a
specially-crafted X.509 certificate, a remote attacker could
exploit this vulnerability to cause the process to abort.
CVSS Base score: 5.3
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/175912 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2019-15605
DESCRIPTION:   Node.js vulnerable to HTTP request smuggling,
caused by a flaw when handling unusual Transfer-Encoding HTTP
header. By sending a specially-crafted request, an attacker
could exploit this vulnerability to poison the web cache, bypass
web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/175913 for
the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Local fix

  • Use a text editor to modify the BPMConfig properties files. For
more information, see "Configuration properties for the
BPMConfig command"
(https://www.ibm.com/support/knowledgecenter/SS8JB4/com.ibm.wbpm
.ref.doc/topics/samplecfgprops.html).

Problem summary

  • No additional information is available.

Problem conclusion

  • A fix is available or will be available that updates the version
 of Node.js that is used in the Configuration editor.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR61972
    • 

  • Reported component name
    BUS AUTO WORKFL
    • 

  • Reported component ID
    5737H4100
    • 

  • Reported release
    J00
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2020-02-12
    • 

  • Closed date
    2020-06-01
    • 

  • Last modified date
    2020-06-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BUS AUTO WORKFL
    • 

  • Fixed component ID
    5737H4100
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            22 June 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback