Direct links to fixes
8.6.10018002-WS-BPM-WinX3264-IFJR62610
8.6.10018002-WS-BPM-MultiOS-IFJR62610
workflow.20002.delta.repository
8.6.20020001-WS-BPM-WinX3264-IFJR62610
8.6.20020001-WS-BPM-MultiOS-IFJR62610
8.6.10019003-WS-BPM-WinX3264-IFJR62610
8.6.10019003-WS-BPM-MultiOS-IFJR62610
8.6.10019002-WS-BPM-WinX3264-IFJR62610
8.6.10019002-WS-BPM-MultiOS-IFJR62610
APAR status
Closed as program error.
Error description
Third Party Entry: PSIRT-ADV0024961 DESCRIPTION: Created from Advisory: ADV0024961 CVSS Base score: 6.2 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVEID: 186425 Description: The jose.4.j library could allow a remote attacker to obtain sensitive information, caused by an Elliptic Curve Key Disclosure if the JWK's Header Parameter includes the public key. An attacker could generate a private key/public key pair and send the public key together with the signature resulting in the invalidation of the signature. CVSS Base Score: 8.7 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/186425 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N) CVEID: CVE-2020-4687 DESCRIPTION: IBM Content Navigator could allow an authenticated user to view cached content of another user that they should not have access to. CVSS Base Score: 4.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/186679 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2020-4704 DESCRIPTION: IBM Content Navigator is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/187189 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) CVEID: CVE-2020-4760 DESCRIPTION: IBM Content Navigator is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188737 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) PRODUCTS AFFECTED IBM Business Automation Workflow
Local fix
CVEID: CVE-2020-4687 Mitigation: Add the docParamsToIgnore parameter to the server configuration and put a value in it that is not a standard URL queryParameter (such as mitigateCacheFlaw) to prevent the default value security_token from being used and, therefore, making the document-caching user session specific again. Limitations of mitigation: The mitigation will work only where docIdPrototype is ${originalDocURL} and not where it has been set to a subset of the URL parameters passed to enable ICN clearing of ViewONE cache for non-versioned documents (as in current versions of ICN).
Problem summary
No additional information is available.
Problem conclusion
A fix is available or will be available that resolves the multiple vulnerabilities with the embedded IBM Content Navigator in Business Automation Workflow.
Temporary fix
Comments
APAR Information
APAR number
JR62610
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
J00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-08-13
Closed date
2020-12-10
Last modified date
2020-12-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1"}]
Document Information
Modified date:
23 January 2021