Fix Readme
Abstract
This readme is for IBM Business Automation Workflow on containers 22.0.2 interim fixes released periodically to resolve security vulnerabilities, as well as other defects. It includes information about the CASE package download, installation, and other information about interim fixes for the 22.0.2 release.
Content
Readme file for | IBM Business Automation Workflow on containers |
---|---|
Product release | 22.0.2 |
Publication date | 26 January 2023 |
Contents
Prerequisites and superseding fixes
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Components impacted
Before installation
Installing the interim fix
Performing the necessary tasks after installation
Uninstalling
List of fixes
Document change history
Prerequisites and superseding fixes
- Each interim fix typically supersedes all other previous interim fixes shipped for 22.0.2, and compliments a simultaneously delivered interim fix for IBM Cloud Pak for Business Automation 22.0.2. Consult the following table for specific relationships.
- Business Automation Workflow on containers delivers container images that include operating system level and other open source libraries. Vulnerabilities (CVEs) for these libraries are published regularly. These interim fixes include fixes for these libraries. Consult the superseded and related Cloud Pak for Business Automation 22.0.2 Readmes for specific information about vulnerabilities and other defects that have been addressed.
Business Automation Workflow on containers interim fixes
Interim fix name | Superseded interim fix names | CASE package | Complimentary Cloud Pak for Business Automation interim fix name | Released |
22.0.2 IF006 | See note (*) below | ibm-cs-bawautomation-2.4.7.tgz | 22.0.2 IF006 | June 2023 |
22.0.2 IF005 | See note (*) below | ibm-cs-bawautomation-2.4.6.tgz | 22.0.2 IF005 | May 2023 |
22.0.2 IF004 | See note (*) below | ibm-cs-bawautomation-2.4.5.tgz | 22.0.2 IF004 | April 2023 |
22.0.2 IF003 | See note (*) below | ibm-cs-bawautomation-2.4.4.tgz | 22.0.2 IF003 | March 2023 |
22.0.2 IF002 | * Note: All previous interim fixes listed in this table | ibm-cs-bawautomation-2.4.3.tgz | 22.0.2 IF002 | February 2023 |
22.0.2 IF001 | None | ibm-cs-bawautomation-2.4.2.tgz | 22.0.2 IF001 | January 2023 |
The previous table is chronologically listed in reverse order, with more recent fixes listed at the top.
Components impacted
Before installation
a. Ensure you back up all databases associated with the environment.
b. Ensure your operators are in a healthy state before upgrading.
If one or more operators are failing, the system might be prevented from completing an upgrade. Check a few of the important custom resource (CR) statuses for failures and to ensure the statuses appear ready for the various installed components.
Check the status of the following CRs when they exist:
oc get icp4acluster -o yaml
Installing the interim fix
Important: Using individual image tag settings in your Business Automation Workflow CR file could prevent the operator from updating the images to the appropriate version. When you upgrade, ensure you remove these settings for a production installation.
Use the CASE package that is associated with the interim fix being applied. It is typically recommended that the latest interim fix be applied. To identify the appropriate CASE package, as well as links to obtain each package, see the table under Prerequisites and superseding fixes.
Business Automation Workflow 22.0.2 interim fixes are released to the v22.2 operator channel. After the operator is upgraded, rolling updates for all the pods the operator manages are triggered to ensure they are updated to the appropriate version that matches the operator.
If your environment has access to the IBM entitled registry and has an automatic v22.2 channel subscription, enterprise installations are upgraded automatically. This upgrade usually occurs when the interim fix is released or when images are mirrored for air-gap setup.
Depending on the current setup and state of your existing environment, various manual actions might be required. The following scenarios cover what actions might be needed for a particular setup.
- Scenario 1: Your installation is version 21.0.2.x or earlier.
Actions: If you are using a version earlier than 21.0.3, you must upgrade first. To upgrade your environment, follow the Upgrading automation containers instructions.
When you perform the upgrade, you can substitute the CASE package from this interim fix for the 22.0.2 CASE package while you follow the instructions. For air-gapped environments, you can use the case save command in step 1 of scenario 3.
Note: If you are using versions that are earlier than 21.0.2, you must incrementally upgrade and follow the instructions for each version between your source version and 22.0.2. - Scenario 2: Your installation is online and 22.0.2.x.
Actions: After these steps are completed, the operators are automatically upgraded.
You can apply the following catalog sources from a command line by creating a YAML file (for example, cp4ba_catalog_sources.yaml) with the following catalog sources and performing "oc apply -f cp4ba_catalog_sources.yaml", or you can apply the catalog sources by using the OCP console.apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-operator-catalog namespace: openshift-marketplace spec: displayName: "IBM Operator Catalog" image: icr.io/cpopen/ibm-operator-catalog publisher: IBM sourceType: grpc updateStrategy: registryPoll: interval: 45m
- Scenario 3: Your installation is air gapped and 22.0.2.x.
- Set up the environment variables for CASE, taking 22.0.2-IF001 as example:
- export CASE_NAME=ibm-cs-bawautomation
- export OFFLINEDIR=/tmp/cp4ba2202-if001
- export CASE_VERSION=2.4.2
- export CASE_INVENTORY_SETUP=cp4aOperatorSetup
- export CASE_ARCHIVE=${CASE_NAME}/${CASE_VERSION}/${CASE_NAME}-${CASE_VERSION}.tgz
- export CASE_LOCAL_PATH=${OFFLINEDIR}/${CASE_ARCHIVE}
- Download the Cloud Pak archives and image inventory, and put them in the offline store
cloudctl case save \ --case https://github.com/IBM/cloud-pak/raw/master/repo/case/${CASE_ARCHIVE} \ --outputdir ${OFFLINEDIR}
andthen unpack the case file:cd ${OFFLINEDIR} tar -xvzf ${CASE_ARCHIVE} cd cert-kubernetes
- Mirror images to trigger the operator upgrades.
- Mirror the entitled registry images to the local registry by completing the same steps you followed during installation. For more information, see Mirroring images to the private registry.
Important: Ensure you use the CASE image outputdir (/tmp/cp4ba-241) from step 1. - If you have subscriptions set to manual, you must approve all the pending operator updates.
Important: Do not set subscriptions to manual because it can make the the upgrade more error prone if some of the many operator updates are not approved. By default all subscriptions are set to automatic.
- Set up the environment variables for CASE, taking 22.0.2-IF001 as example:
After the operators are upgraded, the upgrade of the related deployments and pods is triggered.
Note: Since 22.0.2-IF006, IF you purchase the cp4a production license, you need input the CP4A for sc_deployment_context in the CR file.
Performing the necessary tasks after installation
Review the installation
Review the CR yaml status section and operator logs after the upgrade to ensure no failures prevented your pods from upgrading.
oc get icp4acluster -o yaml > CP4BAconfig.yaml
oc logs deployment/ibm-cp4a-operator -c operator > operator.log
To verify the expected image digest for a particular image, review the
ibm-cp-automation\inventory\cp4aOperatorSdk\resources.yaml
file in the CASE package. This file has a listing of the images managed by the Cloud Pak for Business Automation operator and their expected digest for this particular interim fix level.Uninstalling
There is no procedure to uninstall the interim fix.
List of fixes
The following APARs are specific to Business Automation Workflow on containers. Depending on the components and capabilities you installed and configured, additional fix information might apply to you. See the "List of Fixes" in the readmes linked under Complimentary Cloud Pak for Business Automation interim fixes in the Prerequisites and superseding fixes section in this document. These readmes detail vulnerability fixes shipped with interim fixes for included operating system level and other open source libraries. The fixes below are also listed in those readmes, but they are also listed here as a convenience.
Fixes that involve security are indicated with an X mark.
Business Automation Workflow
22.0.2 IF006
APAR | Security APAR | Behavior change | Title |
---|---|---|---|
DT189179 | Running Process Portal on Chrome version 109 and later shows an error on the browser console | ||
DT214551 | TASK NARRATIVE SECTION IN EMAIL NOTIFICATION IS EMPTY IN PROCESS PORTAL | ||
DT215160 | REST API /OPS/STD/BPM/SAVED_SEARCH_ACCELERATION/OPTIMIZE FAILS TO LOAD DATA INTO SAVED SEARCH ACCELERATION TOOLS TABLE | ||
DT220253 | TASK NARRATIVE SECTION IN EMAIL NOTIFICATION IS NOT POPULATED FOR ALL TASKS IN PROCESS PORTAL |
22.0.2 IF005
APAR | Security APAR | Behavior change | Title |
---|---|---|---|
DT198220 | X | Reflected Cross-site scripting (XSS) IBM BAW 21.0.3 Security Exposure | |
DT211505 | X | SECURITY APAR - CVE-2023-20863 IN SPRING EXPRESSIONS | |
DT213491 | X | SECURITY APAR - VULNERABILITY PRISMA-2023-0067 REPORTED FOR JACKSON-CORE IN BPM EVENT EMITTERS | |
DT209317 | TYPE AHEAD TEXT VIEW DOES NOT UPDATE ITS DATA BINDING WHEN AN OPTION IS SELECTED FROM LIST AND TEXT FIELD IS CLEARED | ||
DT213407 | You notice the input data mappings for a call service activity of a heritage human service does not get saved when edited in IBM Process Designer | ||
DT210959 | Entries with TASK_ID=NULL are never removed from the PFS_BPD_CHANGE_LOG TABLE if process instance indexing is not enabled for the federated system | ||
DT213689 | Heritage human service editor diagram is not displaying stand-alone error event correctly | ||
DT188910 | COMETD THROWS EXCEPTIONS FOR THE ADHOC GROUP CHANNEL ID AND GROUP THAT INCLUDES SPECIAL CHARACTERS | ||
DT215795 | Unexpected heartbeat ConnectException is found in the workflow server FFDC logs |
22.0.2 IF004
APAR | Security APAR | Behavior change | Title |
---|---|---|---|
DT197974 | X | SECURITY VULNERABILITY IN COMMONS-FILEUPLOAD AFFECTS IBM BUSINESS AUTOMATION WORKFLOW AND CLOUD PAK FOR BUSINESS AUTOMATION | |
DT208579 | X | SECURITY APAR - CVE-2022-1471 REPORTED FOR SNAKEYAML IN BPMEVENTEMITTER | |
DT208782 | X | SECURITY APAR - CVE-2022-1471 REPORTED FOR SNAKEYAML IN BPMEVENTEMITTER | |
DT209212 | X | SECURITY APAR - CVE-2023-20861 IN BPM/LOMBARDI/LIB/SPRING-EXPRESSIONS.JAR | |
DT208139 | IBM Process Federation Server indexers not reprocessing tasks and instances updates after a communication exception with Elasticsearch | ||
DT209774 | NO TIMEZONE SETTING CAN BE CONFIGURED FOR THE PROCESS FEDERATION SERVER PODS AND THE ELASTICSEARCH-STATEFULSET PODS. | ||
DT208487 | SEARCHING FOR USERS IN BAW FAILS WHEN IAM IS CONFIGURED WITHOUT LDAP (OKTA, AZURE AD) | ||
DT209447 | BUTTONS IN CASE FOLDER TREE VIEW DOESN'T WORK CORRECTLY WHEN MORE THAN ONE CASE FOLDER TREE VIEW IN THE SAME CLIENT-SIDE HUMAN SERVICE | ||
DT212094 | The NGINX container of the Elasticsearch pod reports a read-only file system error |
22.0.2 IF003
APAR | Security APAR | Behavior change | Title |
---|---|---|---|
DT196140 | X | SECURITY - CVE-2022-34917 in kafka-clients reported for bai-events-java-sdk | |
DT179527 | X | SECURITY - SEVERAL SECURITY VULNERABILITIES ARE PRESENT IN BOOTSTRAP-3.3.4.JS | |
DT195919 | X | SECURITY - CVE-2023-25194 - Update Apache Kafka for Case and Case History Emitters | |
DT188313 | THE LOGS OF DATABASE INIT JOB ARE NOT PERSISTED, AND THE TRACE SPECIFICATION CAN NOT BE SPECIFIED FOR THIS JOB | ||
DT195750 | UPGRADE FAILS WITH NOCLASSDEFFOUNDERROR RELATED TO SCIM DURING DB-INIT JOB WHEN IMPORTING SNAPSHOTS | ||
DT196158 | YOU SEE AN ERROR WHEN YOU TRY TO SAVE ACTIVITY PROPERTIES FOR A CASE ACTIVITY PROCESS THAT IS USING CLIENT-SIDE HUMAN SERVICE | ||
DT196587 | tw.system.retrieveTaskList throws an error if the Dashboards toolkit is not upgraded to the latest version (later than 22.0.2) | ||
DT197423 | USING WORKPLACE TO OPEN A DOCUMENT FROM A CLIENT-SIDE HUMAN SERVICE CASE VIEW DOESN'T OPEN THE DOCUMENT IN CONTENT NAVIGATOR VIEWER | ||
DT197965 | INCORRECT IMAGE IS USED FOR IBM BUSINESS AUTOMATION WORKFLOW RUNTIME WHEN THE APP_DESIGNER COMPONENT IS ENABLED |
22.0.2 IF002
APAR | Security APAR | Behavior change | Title |
---|---|---|---|
DT180564 | X | SECURITY APAR CVE-2023-22860 - STORED XSS IN PROCESS ADMIN CONSOLE | |
DT188641 | X | SECURITY - CVE-2023-24957 - Stored XSS vulnerability when performing a document upload using Responsive Document Explorer | |
DT179174 | WHEN CALLING BTS TEAM SERVICE, BUSINESS AUTOMATION WORKFLOW CACHES ACCESS TOKEN WITH WRONG EXPIRATION TIME | ||
DT180488 |
ON CLOUD PAK FOR BUSINESS AUTOMATION 22.0.2 CONNECTING EXTERNAL WORKFLOW PROCESS SERVER TO WORKFLOW AUTHORING MAY FAIL
|
||
DT188823 | JAVASCRIPT API JSON.STRINGIFY() DOES NOT RETURN THE CORRECT STRING VALUE AFTER UPGRADING TO IBM BUSINESS AUTOMATION WORKFLOW V22.0.2 | ||
DT188910 | COMETD THROWS EXCEPTIONS FOR THE ADHOC GROUP CHANNEL ID | ||
DT189146 | YOU MIGHT SEE OBJECTNOTFOUNDEXCEPTION:SNAPSHOT XXX ERROR AFTER INSTANCE MIGRATION WITH "DEFER-EC" SET TO TRUE | ||
DT189645 | TOOLKIT UPGRADE RESULTS IN NOCLASSDEFFOUNDERROR DURING THE UPDATE OF TEAMS | ||
DT189649 | After upgrading to 22.0.2, attempting to retrieve documents fails with "CWTBI0004E: The mandatory parameter 'Object type ID' is missing or empty" |
22.0.2 IF001
APAR | Security APAR | Behavior change | Title |
---|---|---|---|
DT178578 | WORKFLOW SERVER PODS FREQUENTLY RESTARTING WHEN USING AUTOSCALING | ||
DT179170 | PROCESS FEDERATION SERVER OPERATOR DOES NOT MONITOR MULTIPLE NAMESPACES | ||
DT187952 | AN UNDEFINED WALKME ERROR CAUSES LOADING ICON TO BE DISPLAYED IN NAVIGATOR WORKPLACE | ||
DT178901 | NOCLASSDEFFOUNDERROR OCCURS WHEN EXECUTING THE SCHEMAGENERATOR SCRIPT OF SAVED SEARCH ACCELERATION TOOLS IN LINUX OS |
Document change history
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"ARM Category":[{"code":"a8m50000000CcWOAA0","label":"Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
09 August 2023
UID
ibm16857793