JR62610: SECURITY APAR - MULTIPLE VULNERABILITIES AFFECT THE EMBEDDED IBM CONTENT NAVIGATOR

8.6.10018002-WS-BPM-WinX3264-IFJR62610
8.6.10018002-WS-BPM-MultiOS-IFJR62610
workflow.20002.delta.repository
8.6.20020001-WS-BPM-WinX3264-IFJR62610
8.6.20020001-WS-BPM-MultiOS-IFJR62610
8.6.10019003-WS-BPM-WinX3264-IFJR62610
8.6.10019003-WS-BPM-MultiOS-IFJR62610
8.6.10019002-WS-BPM-WinX3264-IFJR62610
8.6.10019002-WS-BPM-MultiOS-IFJR62610

APAR status

• Closed as program error.

Error description

• Third Party Entry:   PSIRT-ADV0024961
  DESCRIPTION:   Created from Advisory: ADV0024961
  CVSS Base score: 6.2
  CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  
  CVEID: 186425
  Description: The jose.4.j library could allow a remote attacker
  to obtain sensitive information, caused by an Elliptic Curve Key
  Disclosure if the JWK's Header Parameter includes the public
  key. An attacker could generate a private key/public key pair
  and send the public key together with the signature resulting in
  the invalidation of the signature.
  CVSS Base Score: 8.7
  CVSS Temporal Score:
  https://exchange.xforce.ibmcloud.com/vulnerabilities/186425 for
  more information
  CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N)
  
  CVEID: CVE-2020-4687
  DESCRIPTION: IBM Content Navigator could allow an authenticated
  user to view cached content of another user that they should not
  have access to.
  CVSS Base Score: 4.3
  CVSS Temporal Score:
  https://exchange.xforce.ibmcloud.com/vulnerabilities/186679 for
  more information
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
  
  CVEID:   CVE-2020-4704
  DESCRIPTION:   IBM Content Navigator is vulnerable to stored
  cross-site scripting. This vulnerability allows users to embed
  arbitrary JavaScript code in the Web UI thus altering the
  intended functionality potentially leading to credentials
  disclosure within a trusted session.
  CVSS Base score: 6.4
  CVSS Temporal Score: See:
  https://exchange.xforce.ibmcloud.com/vulnerabilities/187189 for
  the current score.
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
  
  CVEID:   CVE-2020-4760
  DESCRIPTION:   IBM Content Navigator is vulnerable to cross-site
  scripting. This vulnerability allows users to embed arbitrary
  JavaScript code in the Web UI thus altering the intended
  functionality potentially leading to credentials disclosure
  within a trusted session.
  CVSS Base score: 5.4
  CVSS Temporal Score: See:
  https://exchange.xforce.ibmcloud.com/vulnerabilities/188737 for
  the current score.
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
  
  PRODUCTS AFFECTED
  IBM Business Automation Workflow
  

Local fix

• CVEID: CVE-2020-4687
  Mitigation: Add the docParamsToIgnore parameter to the server
  configuration and put a value in it that is not a standard URL
  queryParameter (such as mitigateCacheFlaw) to prevent the
  default value security_token from being used and, therefore,
  making the document-caching user session specific again.
  Limitations of mitigation: The mitigation will work only where
  docIdPrototype is ${originalDocURL} and not where it has been
  set to a subset of the URL parameters passed to enable ICN
  clearing of ViewONE cache for non-versioned documents (as in
  current versions of ICN).
  

Problem summary

• No additional information is available.
  

Problem conclusion

• A fix is available or will be available that resolves the
  multiple vulnerabilities with the embedded IBM Content Navigator
   in Business Automation Workflow.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BUS AUTO WORKFL

• Fixed component ID

  5737H4100

Applicable component levels