IBM Support

Readme for IBM Business Automation Workflow on containers 22.0.2 interim fixes

Fix Readme


Abstract

This readme is for IBM Business Automation Workflow on containers 22.0.2 interim fixes released periodically to resolve security vulnerabilities, as well as other defects. It includes information about the CASE package download, installation, and other information about interim fixes for the 22.0.2 release.

Content

Readme file for IBM Business Automation Workflow on containers
Product release 22.0.2
Publication date 26 January 2023

Contents

Prerequisites and superseding fixes

  • Each interim fix typically supersedes all other previous interim fixes shipped for 22.0.2, and compliments a simultaneously delivered interim fix for IBM Cloud Pak for Business Automation 22.0.2. Consult the following table for specific relationships.
  • Business Automation Workflow on containers delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. These interim fixes include fixes for these libraries. Consult the superseded and related Cloud Pak for Business Automation 22.0.2 Readmes for specific information about vulnerabilities and other defects that have been addressed.
Business Automation Workflow on containers interim fixes
Interim fix name Superseded interim fix names CASE package Complimentary Cloud Pak for Business Automation interim fix name Released
22.0.2 IF006 See note (*) below ibm-cs-bawautomation-2.4.7.tgz 22.0.2 IF006 June 2023
22.0.2 IF005 See note (*) below ibm-cs-bawautomation-2.4.6.tgz 22.0.2 IF005 May 2023
22.0.2 IF004 See note (*) below ibm-cs-bawautomation-2.4.5.tgz 22.0.2 IF004 April 2023
22.0.2 IF003 See note (*) below ibm-cs-bawautomation-2.4.4.tgz 22.0.2 IF003 March 2023
22.0.2 IF002 * Note: All previous interim fixes listed in this table ibm-cs-bawautomation-2.4.3.tgz 22.0.2 IF002 February 2023
22.0.2 IF001 None ibm-cs-bawautomation-2.4.2.tgz 22.0.2 IF001 January 2023
The previous table is chronologically listed in reverse order, with more recent fixes listed at the top.

Components impacted

Before installation

a. Ensure you back up all databases associated with the environment.
b. Ensure your operators are in a healthy state before upgrading.
If one or more operators are failing, the system might be prevented from completing an upgrade. Check a few of the important custom resource (CR) statuses for failures and to ensure the statuses appear ready for the various installed components.
Check the status of the following CRs when they exist:
oc get icp4acluster -o yaml

Installing the interim fix

Important:  Using individual image tag settings in your Business Automation Workflow CR file could prevent the operator from updating the images to the appropriate version. When you upgrade, ensure you remove these settings for a production installation.
Use the CASE package that is associated with the interim fix being applied. It is typically recommended that the latest interim fix be applied. To identify the appropriate CASE package, as well as links to obtain each package, see the table under Prerequisites and superseding fixes.
Business Automation Workflow 22.0.2 interim fixes are released to the v22.2 operator channel. After the operator is upgraded, rolling updates for all the pods the operator manages are triggered to ensure they are updated to the appropriate version that matches the operator.
If your environment has access to the IBM entitled registry and has an automatic v22.2 channel subscription, enterprise installations are upgraded automatically. This upgrade usually occurs when the interim fix is released or when images are mirrored for air-gap setup.

Depending on the current setup and state of your existing environment, various manual actions might be required. The following scenarios cover what actions might be needed for a particular setup.
  • Scenario 1: Your installation is version 21.0.2.x or earlier.
    Actions: If you are using a version earlier than 21.0.3, you must upgrade first. To upgrade your environment, follow the Upgrading automation containers instructions.
    When you perform the upgrade, you can substitute the CASE package from this interim fix for the 22.0.2 CASE package while you follow the instructions. For air-gapped environments, you can use the case save command in step 1 of scenario 3.
    Note: If you are using versions that are earlier than 21.0.2, you must incrementally upgrade and follow the instructions for each version between your source version and 22.0.2.
  •  Scenario 2:  Your installation is online and 22.0.2.x.
    Actions: After these steps are completed, the operators are automatically upgraded.
    You can apply the following catalog sources from a command line by creating a YAML file (for example, cp4ba_catalog_sources.yaml) with the following catalog sources and performing "oc apply -f cp4ba_catalog_sources.yaml", or you can apply the catalog sources by using the OCP console. 
    apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: ibm-operator-catalog
  namespace: openshift-marketplace
spec:
  displayName: "IBM Operator Catalog"
  image: icr.io/cpopen/ibm-operator-catalog
  publisher: IBM
  sourceType: grpc
  updateStrategy:
    registryPoll:
      interval: 45m
  • Scenario 3:  Your installation is air gapped and 22.0.2.x.
    1. Set up the environment variables for CASE, taking 22.0.2-IF001 as example:
      • export CASE_NAME=ibm-cs-bawautomation 
      • export OFFLINEDIR=/tmp/cp4ba2202-if001
      • export CASE_VERSION=2.4.2
      • export CASE_INVENTORY_SETUP=cp4aOperatorSetup 
      • export CASE_ARCHIVE=${CASE_NAME}/${CASE_VERSION}/${CASE_NAME}-${CASE_VERSION}.tgz 
      • export CASE_LOCAL_PATH=${OFFLINEDIR}/${CASE_ARCHIVE}
      Note: The values are specific to the interim fix, for instance, the value for CASE_VERSION, however, you can choose a different empty directory for the OFFLINEDIR if you need to put the files somewhere else.
    2. Download the Cloud Pak archives and image inventory, and put them in the offline store 
      cloudctl case save \
  --case https://github.com/IBM/cloud-pak/raw/master/repo/case/${CASE_ARCHIVE} \
  --outputdir ${OFFLINEDIR}
      and then unpack the case file:  
      cd ${OFFLINEDIR}
tar -xvzf ${CASE_ARCHIVE}
cd cert-kubernetes
    3. Mirror images to trigger the operator upgrades. 
    4. Mirror the entitled registry images to the local registry by completing the same steps you followed during installation. For more information, see Mirroring images to the private registry.
      Important: Ensure you use the CASE image outputdir (/tmp/cp4ba-241) from step 1.
    5. If you have subscriptions set to manual, you must approve all the pending operator updates. 
      Important: Do not set subscriptions to manual because it can make the the upgrade more error prone if some of the many operator updates are not approved. By default all subscriptions are set to automatic.
After the operators are upgraded, the upgrade of the related deployments and pods is triggered.
Note: Since 22.0.2-IF006, IF you purchase the cp4a production license, you need input the CP4A for sc_deployment_context in the CR file.

Performing the necessary tasks after installation

Review the installation
Review the CR yaml status section and operator logs after the upgrade to ensure no failures prevented your pods from upgrading.
oc get icp4acluster -o yaml > CP4BAconfig.yaml
oc logs deployment/ibm-cp4a-operator -c operator > operator.log
To verify the expected image digest for a particular image, review the ibm-cp-automation\inventory\cp4aOperatorSdk\resources.yaml file in the CASE package. This file has a listing of the images managed by the Cloud Pak for Business Automation operator and their expected digest for this particular interim fix level.

Uninstalling

There is no procedure to uninstall the interim fix.

List of fixes

The following APARs are specific to Business Automation Workflow on containers. Depending on the components and capabilities you installed and configured, additional fix information might apply to you. See the "List of Fixes" in the readmes linked under Complimentary Cloud Pak for Business Automation interim fixes in the Prerequisites and superseding fixes section in this document. These readmes detail vulnerability fixes shipped with interim fixes for included operating system level and other open source libraries. The fixes below are also listed in those readmes, but they are also listed here as a convenience.
Fixes that involve security are indicated with an X mark.
Business Automation Workflow
22.0.2 IF006
APAR Security APAR Behavior change Title
DT189179 Running Process Portal on Chrome version 109 and later shows an error on the browser console
DT214551 TASK NARRATIVE SECTION IN EMAIL NOTIFICATION IS EMPTY IN PROCESS PORTAL
DT215160 REST API /OPS/STD/BPM/SAVED_SEARCH_ACCELERATION/OPTIMIZE FAILS TO LOAD DATA INTO SAVED SEARCH ACCELERATION TOOLS TABLE
DT220253 TASK NARRATIVE SECTION IN EMAIL NOTIFICATION IS NOT POPULATED FOR ALL TASKS IN PROCESS PORTAL
22.0.2 IF005
APAR Security APAR Behavior change Title
DT198220 X Reflected Cross-site scripting (XSS) IBM BAW 21.0.3 Security Exposure
DT211505  X SECURITY APAR - CVE-2023-20863 IN SPRING EXPRESSIONS
DT213491 X SECURITY APAR - VULNERABILITY PRISMA-2023-0067 REPORTED FOR JACKSON-CORE IN BPM EVENT EMITTERS
DT209317 TYPE AHEAD TEXT VIEW DOES NOT UPDATE ITS DATA BINDING WHEN AN OPTION IS SELECTED FROM LIST AND TEXT FIELD IS CLEARED
DT213407 You notice the input data mappings for a call service activity of a heritage human service does not get saved when edited in IBM Process Designer
DT210959 Entries with TASK_ID=NULL are never removed from the PFS_BPD_CHANGE_LOG TABLE if process instance indexing is not enabled for the federated system
DT213689 Heritage human service editor diagram is not displaying stand-alone error event correctly
DT188910 COMETD THROWS EXCEPTIONS FOR THE ADHOC GROUP CHANNEL ID AND GROUP THAT INCLUDES SPECIAL CHARACTERS
DT215795 Unexpected heartbeat ConnectException is found in the workflow server FFDC logs
22.0.2 IF004
APAR Security APAR Behavior change Title
DT197974 X SECURITY VULNERABILITY IN COMMONS-FILEUPLOAD AFFECTS IBM BUSINESS AUTOMATION WORKFLOW AND CLOUD PAK FOR BUSINESS AUTOMATION
DT208579  X SECURITY APAR - CVE-2022-1471 REPORTED FOR SNAKEYAML IN BPMEVENTEMITTER
DT208782 X SECURITY APAR - CVE-2022-1471 REPORTED FOR SNAKEYAML IN BPMEVENTEMITTER
DT209212 X SECURITY APAR - CVE-2023-20861 IN BPM/LOMBARDI/LIB/SPRING-EXPRESSIONS.JAR
DT208139 IBM Process Federation Server indexers not reprocessing tasks and instances updates after a communication exception with Elasticsearch
DT209774 NO TIMEZONE SETTING CAN BE CONFIGURED FOR THE PROCESS FEDERATION SERVER PODS AND THE ELASTICSEARCH-STATEFULSET PODS.
DT208487 SEARCHING FOR USERS IN BAW FAILS WHEN IAM IS CONFIGURED WITHOUT LDAP (OKTA, AZURE AD)
DT209447 BUTTONS IN CASE FOLDER TREE VIEW DOESN'T WORK CORRECTLY WHEN MORE THAN ONE CASE FOLDER TREE VIEW IN THE SAME CLIENT-SIDE HUMAN SERVICE
DT212094 The NGINX container of the Elasticsearch pod reports a read-only file system error
22.0.2 IF003
APAR Security APAR Behavior change Title
DT196140 X SECURITY - CVE-2022-34917 in kafka-clients reported for bai-events-java-sdk
DT179527 X SECURITY - SEVERAL SECURITY VULNERABILITIES ARE PRESENT IN BOOTSTRAP-3.3.4.JS
DT195919 X SECURITY - CVE-2023-25194 - Update Apache Kafka for Case and Case History Emitters
DT188313 THE LOGS OF DATABASE INIT JOB ARE NOT PERSISTED, AND THE TRACE SPECIFICATION CAN NOT BE SPECIFIED FOR THIS JOB
DT195750 UPGRADE FAILS WITH NOCLASSDEFFOUNDERROR RELATED TO SCIM DURING DB-INIT JOB WHEN IMPORTING SNAPSHOTS
DT196158 YOU SEE AN ERROR WHEN YOU TRY TO SAVE ACTIVITY PROPERTIES FOR A CASE ACTIVITY PROCESS THAT IS USING CLIENT-SIDE HUMAN SERVICE
DT196587 tw.system.retrieveTaskList throws an error if the Dashboards toolkit is not upgraded to the latest version (later than 22.0.2)
DT197423 USING WORKPLACE TO OPEN A DOCUMENT FROM A CLIENT-SIDE HUMAN SERVICE CASE VIEW DOESN'T OPEN THE DOCUMENT IN CONTENT NAVIGATOR VIEWER
DT197965 INCORRECT IMAGE IS USED FOR IBM BUSINESS AUTOMATION WORKFLOW RUNTIME WHEN THE APP_DESIGNER COMPONENT IS ENABLED
22.0.2 IF002
APAR Security APAR Behavior change Title
DT180564 X SECURITY APAR CVE-2023-22860 - STORED XSS IN PROCESS ADMIN CONSOLE
DT188641 X SECURITY - CVE-2023-24957 - Stored XSS vulnerability when performing a document upload using Responsive Document Explorer
DT179174 WHEN CALLING BTS TEAM SERVICE, BUSINESS AUTOMATION WORKFLOW CACHES ACCESS TOKEN WITH WRONG EXPIRATION TIME
DT180488
ON CLOUD PAK FOR BUSINESS AUTOMATION 22.0.2 CONNECTING EXTERNAL WORKFLOW PROCESS SERVER TO WORKFLOW AUTHORING MAY FAIL
DT188823 JAVASCRIPT API JSON.STRINGIFY() DOES NOT RETURN THE CORRECT STRING VALUE AFTER UPGRADING TO IBM BUSINESS AUTOMATION WORKFLOW V22.0.2
DT188910 COMETD THROWS EXCEPTIONS FOR THE ADHOC GROUP CHANNEL ID
DT189146 YOU MIGHT SEE OBJECTNOTFOUNDEXCEPTION:SNAPSHOT XXX ERROR AFTER INSTANCE MIGRATION WITH "DEFER-EC" SET TO TRUE
DT189645 TOOLKIT UPGRADE RESULTS IN NOCLASSDEFFOUNDERROR DURING THE UPDATE OF TEAMS
DT189649 After upgrading to 22.0.2, attempting to retrieve documents fails with "CWTBI0004E: The mandatory parameter 'Object type ID' is missing or empty"
22.0.2 IF001
APAR Security APAR Behavior change Title
DT178578 WORKFLOW SERVER PODS FREQUENTLY RESTARTING WHEN USING AUTOSCALING
DT179170 PROCESS FEDERATION SERVER OPERATOR DOES NOT MONITOR MULTIPLE NAMESPACES
DT187952 AN UNDEFINED WALKME ERROR CAUSES LOADING ICON TO BE DISPLAYED IN NAVIGATOR WORKPLACE
DT178901 NOCLASSDEFFOUNDERROR OCCURS WHEN EXECUTING THE SCHEMAGENERATOR SCRIPT OF SAVED SEARCH ACCELERATION TOOLS IN LINUX OS

Back to top

Document change history
  • 26 January 2023: Updated with 22.0.2 IF001 details
  • 23 February 2023: Updated with 22.0.2 IF002 details
  • 31 March 2023: Updated with 22.0.2 IF003 details
  • 27 March 2023: Updated with 22.0.2 IF004 details
  • 2 June 2023: Updated with 22.0.2 IF005 details
  • 4 August 2023: Updated with 22.0.2 IF006 details

    • [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

    Document Information

    Modified date:
    09 August 2023

    UID

    ibm16857793

    Page Feedback