Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2021-44531 Description: Node.js could allow a remote attacker to bypass security restrictions, caused by the improper handling of URI Subject Alternative Name (SAN) types. An attacker could exploit this vulnerability to bypass name-constrained intermediates. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/216930 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2021-44532 Description: Node.js could allow a remote attacker to bypass security restrictions, caused by a string injection vulnerability when name constraints were used within a certificate chain. An attacker could exploit this vulnerability to bypass the name constraints. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/216931 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2021-44533 Description: Node.js could allow a remote attacker to bypass security restrictions, caused by the incorrect handling of multi-value Relative Distinguished Names. By crafting certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, an attacker could exploit this vulnerability to bypass the certificate subject verification. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/216932 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2022-21824 Description: Node.js could provide weaker than expected security, caused by an error related to the formatting logic of the console.table() function. An attacker could exploit this vulnerability using console.table properties to allow an empty string to be assigned to numerical keys of the object prototype. CVSS Base Score: 5.3 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/216933 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2022-0778 Description: OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition. CVSS Base Score: 7.5 CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for more information CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Local fix
Use a text editor to modify the BPMConfig properties files. For more information, see "Configuration properties for the BPMConfig command" (https://www.ibm.com/docs/en/baw/20.x?topic=utility-configuratio n-properties-bpmconfig-command).
Problem summary
No additional information is available.
Problem conclusion
A fix that updates the version of Node.js that is used in the Configuration editor will be available in a future release of Business Automation Workflow.
Temporary fix
Comments
APAR Information
APAR number
JR64535
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
L00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-01-21
Closed date
2022-05-08
Last modified date
2022-05-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"21.0.2","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
24 August 2022