IBM warns against code smuggling in Business Automation Workflow

IBM warns against code smuggling in Business Automation Workflow

IBM warns that a vulnerability in the Async component could allow malicious code to be foisted on IBM Business Automation Workflow from the network. The cause is a so-called prototype pollution in the function mapValues(). Attackers could trick potential victims into opening specially crafted files, thereby exploiting the vulnerability to run their own code on the system (CVE-2021-43138, CVSS 7.8risk “high“).

A prototype pollution attack exploits features of the JavaScript programming language. For example, it injects properties into construct prototypes, allowing attackers to control values ​​and object properties. They could use this to manipulate the program logic, which could result in a denial of service, for example, or even in the execution of smuggled code.

According to IBM’s security advisory are from the vulnerability IBM Business Automation Workflow Traditional such as IBM Business Automation Workflow Containers in the versions 21.0.2 and 21.0.3 affected. In the message, the authors also link the available updates, which are available as so-called Interim Fix (iFix) or Cumulative Fix (CF). Alternatively, administrators should update to the non-vulnerable version 22.0.1. IBM doesn’t seem to see any need to rush, the only recommendation is to apply the updates as soon as it seems practicable.

IBM lists the versions of branches 18, 19, 20 as well as 21.0.1 and 22.0.1 as unaffected. With these versions, IT managers do not have to take any action. A vulnerability affecting IBM’s Business Automation Workflow was last acute more than a year ago.

Allegedly one billion records stolen from Shanghai police Previous post Allegedly one billion records stolen from Shanghai police
My scrum is broken #112: Sustainable team development Next post My scrum is broken #112: Sustainable team development