cnvd - cnvd-2020-19866

cnvd-2020-19866

Vulnerability from cnvd

Title: IBM Business Process Manager和IBM Business Automation Workflow拒绝服务漏洞

Description:

IBM Business Process Manager（BPM）和IBM Business Automation Workflow都是美国IBM公司的产品。IBM Business Process Manager是一套综合的业务流程管理平台。该平台为业务的流程建模、组装、监控和部署提供了一系列的相关工具。IBM Business Automation Workflow是一套工作流程自动化解决方案。该产品主要用于工作流程管理、合规性管理，并具有工作流程可见性和可扩展等特点。

IBM Business Automation Workflow和BPM中存在安全漏洞。该漏洞源于网络系统或产品对系统资源（如内存、磁盘空间、文件等）的管理不当。攻击者可能会在通过身份认证后利用该漏洞发送一个耗尽服务器端内存的特制请求，导致拒绝服务。

Severity: 中

Patch Name: IBM Business Process Manager和IBM Business Automation Workflow拒绝服务漏洞的补丁

Patch Description:

IBM Business Automation Workflow和BPM中存在安全漏洞。该漏洞源于网络系统或产品对系统资源（如内存、磁盘空间、文件等）的管理不当。攻击者可能会在通过身份认证后利用该漏洞发送一个耗尽服务器端内存的特制请求，导致拒绝服务。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www-01.ibm.com/support/docview.wss?uid=ibm10794831

Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-1997

Impacted products

Name
['IBM Business Process Manager 8.5.5.0', 'IBM Business Process Manager 8.6.0.0', 'IBM Business Process Manager 8.5.7.0', 'IBM Business Automation Workflow 18.0.0.0', 'IBM Business Automation Workflow 18.0.0.1', 'IBM Business Automation Workflow 18.0.0.2', 'IBM Business Process Manager 8.5 1', 'IBM Business Process Manager 8.5.0.0', 'IBM Business Process Manager 8.5.0.2', 'IBM Business Process Manager 8.5.6.0', 'IBM Business Process Manager 8.5.6.0 CF 2', 'IBM Business Process Manager 8.5.7.0 CF 2016.12', 'IBM Business Process Manager 8.5.7.0 CF 2017.03', 'IBM Business Process Manager 8.5.7.0 CF 2017.06', 'IBM Business Process Manager 8.6.0.0 CF 2018.03']

Name

['IBM Business Process Manager 8.5.5.0', 'IBM Business Process Manager 8.6.0.0', 'IBM Business Process Manager 8.5.7.0', 'IBM Business Automation Workflow 18.0.0.0', 'IBM Business Automation Workflow 18.0.0.1', 'IBM Business Automation Workflow 18.0.0.2', 'IBM Business Process Manager 8.5 1', 'IBM Business Process Manager 8.5.0.0', 'IBM Business Process Manager 8.5.0.2', 'IBM Business Process Manager 8.5.6.0', 'IBM Business Process Manager 8.5.6.0 CF 2', 'IBM Business Process Manager 8.5.7.0 CF 2016.12', 'IBM Business Process Manager 8.5.7.0 CF 2017.03', 'IBM Business Process Manager 8.5.7.0 CF 2017.06', 'IBM Business Process Manager 8.6.0.0 CF 2018.03']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108513"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-1997",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2018-1997"
    }
  },
  "description": "IBM Business Process Manager\uff08BPM\uff09\u548cIBM Business Automation Workflow\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Business Process Manager\u662f\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4e1a\u52a1\u7684\u6d41\u7a0b\u5efa\u6a21\u3001\u7ec4\u88c5\u3001\u76d1\u63a7\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u76f8\u5173\u5de5\u5177\u3002IBM Business Automation Workflow\u662f\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5de5\u4f5c\u6d41\u7a0b\u7ba1\u7406\u3001\u5408\u89c4\u6027\u7ba1\u7406\uff0c\u5e76\u5177\u6709\u5de5\u4f5c\u6d41\u7a0b\u53ef\u89c1\u6027\u548c\u53ef\u6269\u5c55\u7b49\u7279\u70b9\u3002\n\nIBM Business Automation Workflow\u548cBPM\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5bf9\u7cfb\u7edf\u8d44\u6e90\uff08\u5982\u5185\u5b58\u3001\u78c1\u76d8\u7a7a\u95f4\u3001\u6587\u4ef6\u7b49\uff09\u7684\u7ba1\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u5728\u901a\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u540e\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u9001\u4e00\u4e2a\u8017\u5c3d\u670d\u52a1\u5668\u7aef\u5185\u5b58\u7684\u7279\u5236\u8bf7\u6c42\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www-01.ibm.com/support/docview.wss?uid=ibm10794831",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-19866",
  "openTime": "2020-03-28",
  "patchDescription": "IBM Business Process Manager\uff08BPM\uff09\u548cIBM Business Automation Workflow\u90fd\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4ea7\u54c1\u3002IBM Business Process Manager\u662f\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3a\u4e1a\u52a1\u7684\u6d41\u7a0b\u5efa\u6a21\u3001\u7ec4\u88c5\u3001\u76d1\u63a7\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u76f8\u5173\u5de5\u5177\u3002IBM Business Automation Workflow\u662f\u4e00\u5957\u5de5\u4f5c\u6d41\u7a0b\u81ea\u52a8\u5316\u89e3\u51b3\u65b9\u6848\u3002\u8be5\u4ea7\u54c1\u4e3b\u8981\u7528\u4e8e\u5de5\u4f5c\u6d41\u7a0b\u7ba1\u7406\u3001\u5408\u89c4\u6027\u7ba1\u7406\uff0c\u5e76\u5177\u6709\u5de5\u4f5c\u6d41\u7a0b\u53ef\u89c1\u6027\u548c\u53ef\u6269\u5c55\u7b49\u7279\u70b9\u3002\r\n\r\nIBM Business Automation Workflow\u548cBPM\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u5bf9\u7cfb\u7edf\u8d44\u6e90\uff08\u5982\u5185\u5b58\u3001\u78c1\u76d8\u7a7a\u95f4\u3001\u6587\u4ef6\u7b49\uff09\u7684\u7ba1\u7406\u4e0d\u5f53\u3002\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u5728\u901a\u8fc7\u8eab\u4efd\u8ba4\u8bc1\u540e\u5229\u7528\u8be5\u6f0f\u6d1e\u53d1\u9001\u4e00\u4e2a\u8017\u5c3d\u670d\u52a1\u5668\u7aef\u5185\u5b58\u7684\u7279\u5236\u8bf7\u6c42\uff0c\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Business Process Manager\u548cIBM Business Automation Workflow\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "IBM Business Process Manager 8.5.5.0",
      "IBM Business Process Manager 8.6.0.0",
      "IBM Business Process Manager 8.5.7.0",
      "IBM Business Automation Workflow 18.0.0.0",
      "IBM Business Automation Workflow 18.0.0.1",
      "IBM Business Automation Workflow 18.0.0.2",
      "IBM Business Process Manager 8.5 1",
      "IBM Business Process Manager 8.5.0.0",
      "IBM Business Process Manager 8.5.0.2",
      "IBM Business Process Manager 8.5.6.0",
      "IBM Business Process Manager 8.5.6.0 CF 2",
      "IBM Business Process Manager 8.5.7.0 CF 2016.12",
      "IBM Business Process Manager 8.5.7.0 CF 2017.03",
      "IBM Business Process Manager 8.5.7.0 CF 2017.06",
      "IBM Business Process Manager 8.6.0.0 CF 2018.03"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2018-1997",
  "serverity": "\u4e2d",
  "submitTime": "2019-07-05",
  "title": "IBM Business Process Manager\u548cIBM Business Automation Workflow\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e"
}

CVE-2018-1997 (GCVE-0-2018-1997)

Vulnerability from cvelistv5

Published

2019-04-08 14:50

Modified

2024-09-16 23:52

Severity ?

4.3 (Medium) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C

CWE

Denial of Service

Summary

IBM Business Automation Workflow and Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 are vulnerable to a denial of service attack. An authenticated attacker might send a specially crafted request that exhausts server-side memory. IBM X-Force ID: 154774.

References

▼	URL	Tags
	https://www.ibm.com/support/docview.wss?uid=ibm10794831	x_refsource_CONFIRM
	https://exchange.xforce.ibmcloud.com/vulnerabilities/154774	vdb-entry, x_refsource_XF

Impacted products

	Vendor	Product	Version
	IBM	Business Automation Workflow	Version: 18.0.0.0 Version: 18.0.0.1 Version: 18.0.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T04:14:39.653Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794831"
          },
          {
            "name": "ibm-baw-cve20181997-dos (154774)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/154774"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Business Automation Workflow",
          "vendor": "IBM",
          "versions": [
            {
              "status": "affected",
              "version": "18.0.0.0"
            },
            {
              "status": "affected",
              "version": "18.0.0.1"
            },
            {
              "status": "affected",
              "version": "18.0.0.2"
            }
          ]
        }
      ],
      "datePublic": "2019-04-04T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Business Automation Workflow and Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 are vulnerable to a denial of service attack. An authenticated attacker might send a specially crafted request that exhausts server-side memory. IBM X-Force ID: 154774."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitCodeMaturity": "UNPROVEN",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "remediationLevel": "OFFICIAL_FIX",
            "reportConfidence": "CONFIRMED",
            "scope": "UNCHANGED",
            "temporalScore": 3.8,
            "temporalSeverity": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/A:L/PR:L/I:N/AC:L/C:N/S:U/UI:N/AV:N/RL:O/E:U/RC:C",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Denial of Service",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-08T14:50:37",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794831"
        },
        {
          "name": "ibm-baw-cve20181997-dos (154774)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/154774"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "DATE_PUBLIC": "2019-04-04T00:00:00",
          "ID": "CVE-2018-1997",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Business Automation Workflow",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "18.0.0.0"
                          },
                          {
                            "version_value": "18.0.0.1"
                          },
                          {
                            "version_value": "18.0.0.2"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "IBM"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Business Automation Workflow and Business Process Manager 18.0.0.0, 18.0.0.1, and 18.0.0.2 are vulnerable to a denial of service attack. An authenticated attacker might send a specially crafted request that exhausts server-side memory. IBM X-Force ID: 154774."
            }
          ]
        },
        "impact": {
          "cvssv3": {
            "BM": {
              "A": "L",
              "AC": "L",
              "AV": "N",
              "C": "N",
              "I": "N",
              "PR": "L",
              "S": "U",
              "UI": "N"
            },
            "TM": {
              "E": "U",
              "RC": "C",
              "RL": "O"
            }
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.ibm.com/support/docview.wss?uid=ibm10794831",
              "refsource": "CONFIRM",
              "title": "IBM Security Bulletin 794831 (Business Automation Workflow)",
              "url": "https://www.ibm.com/support/docview.wss?uid=ibm10794831"
            },
            {
              "name": "ibm-baw-cve20181997-dos (154774)",
              "refsource": "XF",
              "title": "X-Force Vulnerability Report",
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/154774"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2018-1997",
    "datePublished": "2019-04-08T14:50:37.952252Z",
    "dateReserved": "2017-12-13T00:00:00",
    "dateUpdated": "2024-09-16T23:52:15.945Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted