Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2021-22959 Description: Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. A remote attacker could send a specially-crafted request with a space (SP) right after the header name before the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 6.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/211168 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2021-22960 Description: Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. CVSS Base Score: 6.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/211171 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Local fix
Use a text editor to modify the BPMConfig properties files. For more information, see "Configuration properties for the BPMConfig command" (https://www.ibm.com/docs/en/baw/20.x?topic=utility-configuratio n-properties-bpmconfig-command).
Problem summary
No additional information is available.
Problem conclusion
A fix that updates the version of Node.js that is used in the Configuration editor will be available in a future release of Business Automation Workflow.
Temporary fix
Comments
APAR Information
APAR number
JR64322
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-11-02
Closed date
2022-02-10
Last modified date
2022-02-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.2"}]
Document Information
Modified date:
10 February 2022