Security Updates

Products Security Bulletins 2021

Code	Product	Versions	Impact of vulnerabilities	Severity	Date
Weak encryption	iBPMS	2020.3.6 or older.	Weak encryption	High	27.07.21
SQL Injection	iBPMS	2020.3.6 or older	SQL Injection vulnerability	High	27.07.21

Weak encryption within iBPMS 2020.3.6 or older

Vulnerability Description:

This issue occurs in all versions before 2021.1.

Remediation:

iBPMS version 2021.1 contains a fix for this vulnerability; hence updating to it is required.

Upon starting the FireStart server, you need to configure an encryption key in the config wizard used to migrate the encryption.

If you have created backup exports, please recreate them, as the old backups could contain vulnerable encryption.

FAQs:

Will this update impact my users?

If users want to import an export file from a server with a different encryption key, then the export file needs to be created with a password. If you provided no password, the passwords in the export file wouldn’t be able to be imported and have to be configured again.

SQL Injection vulnerability within iBPMS 2020.3.6 or older

Vulnerability Description:

SQL injections where possible in the SQL activities if you used any workflow variables/business entity fields within the activities.

In any place where a user could enter a value that was bound in the activity execution or wizard, he could enter an SQL injection.

Remediation:

Recommended Approach: Update the FireStart server to version 2021.1.
Validate user inputs in the workflow and make sure users entered no SQL injections.
Do not use SQL activities.

FAQs:

Will this update impact my users?

Using stored procedures or SQL injections intentionally in the SQL activities is no longer supported.