IBM Support

JR59569: SECURITY APAR - CVE-2018-1674 - SQL INJECTION OCCURS IN A REST API

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2018-1674
    DESCRIPTION: IBM Business Process Manager is vulnerable to SQL
    injection. A remote attacker could send specially-crafted SQL
    statements, which could allow the attacker to view, add, modify
    or delete information in the back-end database.
    CVSS Base Score: 6.3
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/145109 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix that ensures user input is properly escaped when used in a
     SQL query is available for the latest fix pack of all supported
     IBM BPM releases (V8.5.0.2, V8.5.5.0, V8.5.6.0 CF02, V8.5.7.0
    CF 2017.06, V8.6.0.0. CF 2018.03) and will be included in a
    future release of IBM Business Automation Workflow.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR59569

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    857

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-06-11

  • Closed date

    2018-09-18

  • Last modified date

    2018-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels



Document information

More support for: IBM Business Process Manager Standard

Software version: 857

Reference #: JR59569

Modified date: 18 September 2018