IBM fixes three-year-old security vulnerability in Business Automation Workflow
The supplied version of Dojo was apparently three years old and contained a critical security vulnerability. IBM has now closed this and is cleaning up.
(Image: Mats Wiklund/Shutterstock.com)
A security gap apparently existed for years in various versions of the "IBM Business Automation Workflow" due to an outdated Javascript library. IBM has now fixed this and advises users to update.
The Dojo toolkit already had a critical vulnerability in 2021 that allowed arbitrary code to be injected (CVE-2021-23450, CVSS 9.8/10). IBM had already warned of the vulnerability at the time and also included Business Automation Workflow in the list of affected products. However, it is only now that there are indications of a fix.
Version proliferation simplified
As there are a large number of different versions and two packages of the software (a "traditional" and a container format), the list of affected editions is confusing. However, IBM is taking the opportunity to clear the version jungle:
- IBM advises users of the containerized versions 20.0.0.x, 21.0.x, 22.0.x or 23.0.x to either switch to the repaired version 21.0.3-IF037 or directly to the latest version tree 24.0.0-IF003,
- those using the traditional version 21.0.3.1 should install the hotfix DT394647 and
- Users of traditional versions 18 to 23 should endeavor to replace the entire environment.
All version numbers and the appropriate repair measures can be found in the detailed IBM security notice.
(cku)
