Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2021-3749 Description: axios is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the trim function. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause an application to consume an excessive amount of CPU. CVSS Base Score: 7.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/208438 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-0155 DESCRIPTION: follow-redirects could allow a remote attacker to obtain sensitive information, caused by an unauthorized actor. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to obtain private personal information and use this information to launch further attacks against the affected system. CVSS Base score: 8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216974 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2022-0536 DESCRIPTION: Node.js follow-redirects module could allow a remote authenticated attacker to obtain sensitive information, caused by a leakage of the Authorization header from the same hostname during HTTPS to HTTP redirection. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to obtain Authorization header information, and use this information to launch further attacks against the affected system. CVSS Base score: 2.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219551 for the current score. CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Local fix
Problem summary
No additional information is available. PRODUCT AFFECTED: IBM Business Automation Workflow IBM Cloud Pak for Business Automation
Problem conclusion
A fix is available or will be available that updates the node.js modules in a user interface component.
Temporary fix
Comments
APAR Information
APAR number
JR64327
Reported component name
CLOUD PAK FOR A
Reported component ID
5737I2300
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-12-06
Closed date
2022-04-19
Last modified date
2022-04-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.2","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
24 August 2022