Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2020-8251 Description: Node.js is vulnerable to a denial of service, caused by delayed unfinished HTTP/1.1 requests submission. An attacker could exploit this vulnerability to make the server unable to accept new connections and exhaust all available resources. CVSS Base Score: 7.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/188592 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2020-8201 Description: Node.js is vulnerable to HTTP request smuggling, caused by CR-to-Hyphen conversion. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 7.4 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/188591 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) CVEID: CVE-2020-8252 Description: Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv's fs.realpath.native. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. CVSS Base Score: 7.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/188593 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2020-8201 Description: Node.js is vulnerable to HTTP request smuggling, caused by CR-to-Hyphen conversion. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 7.4 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/188591 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) CVEID: CVE-2020-8252 Description: Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv's fs.realpath.native. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. CVSS Base Score: 7.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/188593 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2020-8251 Description: Node.js is vulnerable to a denial of service, caused by delayed unfinished HTTP/1.1 requests submission. An attacker could exploit this vulnerability to make the server unable to accept new connections and exhaust all available resources. CVSS Base Score: 7.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/188592 for more information
Local fix
Use a text editor to modify the BPMConfig properties files. For more information, see "Configuration properties for the BPMConfig command" (https://www.ibm.com/support/knowledgecenter/SS8JB4/com.ibm.wbpm .ref.doc/topics/samplecfgprops.html).
Problem summary
No additional information is available.
Problem conclusion
A fix that updates the version of Node.js that is used in the Configuration editor will be available in a future release of Business Automation Workflow.
Temporary fix
Comments
APAR Information
APAR number
JR62874
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
K00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-09-29
Closed date
2020-12-11
Last modified date
2020-12-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"20.0.0.1"}]
Document Information
Modified date:
14 December 2020