IBM Support

JR57478: SECURITY APAR CVE-2017-1159: THE WEB IBM PROCESS DESIGNER AND WEB VIEWER ARE VULNERABLE TO OPEN REDIRECTION ATTACKS

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

8.5.7.201703-WS-BPM-IFJR57478
8.5.6.2-WS-BPM-IFJR57478
8.5.5.0-WS-BPM-IFJR57478
8.5.0.2-WS-BPM-IFJR57478
8.0.1.3-WS-BPM-IFJR57478
bpm.8570.cf2017.06.delta.repository

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2017-1159
DESCRIPTION: IBM Business Process Manager (BPM) could allow a
remote attacker to conduct phishing attacks, using an open
redirect attack. By persuading a victim to visit a
specially-crafted web site, a remote attacker could exploit this
vulnerability to spoof the URL displayed to redirect a user to a
malicious web site that would appear to be trusted. This could
allow the attacker to obtain highly sensitive information or
conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/122891 for
the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

PRODUCTS AFFECTED
IBM BPM Advanced
IBM BPM Standard
IBM BPM Express

Local fix

  • 



Problem summary


    

  • No additional information is available.

    



Problem conclusion


    

  • A fix that ensures redirects are always relative, meaning that
they are on the same server, is available for the IBM BPM
V7.5.1.2, V8.0.1.3, V8.5.0.2, V8.5.5.0, and V8.5.6.2 fix packs
and is included in IBM BPM V8.5.7 cumulative fix 2017.03.

Note: A fix for IBM BPM V8.5.7 cumulative fix (CF) 2017.03 is
available even though IBM BPM V8.5.7 CF 2017.03 is not
vulnerable to this security issue. The intention of this interim
fix is to prevent the following unnecessary warning message in
IBM Installation Manager, which you see when you upgrade IBM
BPM:

"One or more fixes will be uninstalled when IBM(R) Business
Process Manager <Advanced | Standard | Express> is updated to
8.5.7. CF2017.03. The update does not address issues that were
resolved previously by the maintenance packages. The problems
might return if fixes for the the
following issues are not reapplied or have new fixes applied to
prevent the problems from returning.
  - JR57478 in the package IBM(R) Business Process Manager
<Advanced | Standard | Express> 8.5..."

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR57478
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    857
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-03-07
    • 

  • Closed date
    2017-05-18
    • 

  • Last modified date
    2017-10-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R855  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 October 2017
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback