JR57397: SECURITY CVE-2017-1140 - PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY IN PROCESS PORTAL

bpm.8570.cf2017.03.delta.repository
8.0.1.3-WS-BPM-IFJR57397
8.5.0.2-WS-BPM-IFJR57397
8.5.5.0-WS-BPM-IFJR57397
8.5.5.0-WS-BPM-IFJR56691
8.5.6.2-WS-BPM-IFJR57288
Downloading IBM Business Process Manager V8.5.7 Cumulative Fix 2017.03

APAR status

• Closed as program error.

Error description

• CVEID: CVE-2017-1140
  DESCRIPTION: IBM Business Process Manager (BPM) is vulnerable to
  cross-site scripting. This vulnerability allows users to embed
  arbitrary JavaScript code in the web UI thus altering the
  intended functionality potentially leading to credentials
  disclosure within a trusted session.
  CVSS Base Score: 5.4
  CVSS Temporal Score:
  See https://exchange.xforce.ibmcloud.com/vulnerabilities/121905 
  for the current score
  CVSS Environmental Score*: Undefined
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
  
  PRODUCTS AFFECTED
  IBM BPM Advanced
  IBM BPM Standard
  IBM BPM Express
  

Local fix

Problem summary

• Because user input is insufficiently neutralized, a user can
  enter data that contains a script that can later run in another
  user's browser while displaying the first user's data.
  

Problem conclusion

• A fix is available for the latest fix pack of all supported IBM
  BPM releases: 8.0.1.3, 8.5.0.2, 8.5.5.0, 8.5.6.0 CF02, and will
  also be included in IBM BPM 8.5.7.0 CF 2017.03.
  
  This fix by default completely disables the vulnerable URL and
  updates all IBM BPM product components that cause requests to
  this URL to use the client-side JavaScript instead.
  

Temporary fix

• Not applicable.
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM ADVANCED

• Fixed component ID

  5725C9400

Applicable component levels