High Severity

IBM Security Bulletin: IBM Domino server IMAP EXAMINE command stack buffer overflow (CVE-2017-1274)

A vulnerability in the IBM Domino server IMAP EXAMINE command potentially could be exploited by an authenticated user resulting in a stack buffer overflow. This could allow a remote attacker to execute code with the privileges of the Domino server. Current 64-bit platforms leverage ASLR (Address Space Layout Randomization) which dramatically reduces the probability of […]

Apache Struts Jakarta Multi-part Parser Code Execution (CVE-2017-5638)

On March 6, 2017 a vulnerability in the Apache Struts Jakarta Multi-part parser code execution was reported by Apache. IBM is analyzing its products to determine which ones may be affected by this vulnerability. Affected IBM products will be issuing mitigations and/or fixes as soon as possible. Please actively monitor both your IBM Support Portal […]

IBM Security Bulletin: privilege escalation in IBM Business Process Manager (BPM) – CVE-2017-1539

Sep 23, 2017 10:00 am EDT | Medium Severity

Synchronization between the user registry and the IBM BPM database lead to invalid memberships in case there is an internal group in the IBM BPM database and a group in the user registry with the same name. CVE(s): CVE-2017-1539 Affected product(s) and affected version(s): – IBM Business Process Manager V7.5.0.0 through V7.5.1.2 – IBM Business ...read more


IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Center Console (CVE-2017-1531)

Sep 23, 2017 10:00 am EDT | Medium Severity

IBM Business Process Manager (BPM) Process Center Console is vulnerable to a persisted Cross-Site Scripting attack. CVE(s): CVE-2017-1531 Affected product(s) and affected version(s): – IBM Business Process Manager V7.5.0.0 through V7.5.1.2 – IBM Business Process Manager V8.0.0.0 through V8.0.1.3 – IBM Business Process Manager V8.5.0.0 through V8.5.0.2 – IBM Business Process Manager V8.5.5.0 – IBM ...read more


IBM Security Bulletin: Cross-Site Scripting vulnerability affects IBM Business Process Manager Process Admin Console (CVE-2017-1530)

Sep 23, 2017 10:00 am EDT | Medium Severity

IBM Business Process Manager (BPM) Process Admin Console is vulnerable to a persisted Cross-Site Scripting attack. CVE(s): CVE-2017-1530 Affected product(s) and affected version(s): – IBM Business Process Manager V7.5.0.0 through V7.5.1.2 – IBM Business Process Manager V8.0.0.0 through V8.0.1.3 – IBM Business Process Manager V8.5.0.0 through V8.5.0.2 – IBM Business Process Manager V8.5.5.0 – IBM ...read more


IBM Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527)

Sep 23, 2017 10:00 am EDT | High Severity

IBM Business Process Manager (BPM) can process XML messages, including messages from untrusted sources. Because of insufficient restriction of an XML parser, XML External Entity injection allows an authenticated remote attacker to send specially crafted XML messages and thus cause a denial of service by exhausting system resources or exfiltrate sensitive information. CVE(s): CVE-2017-1527 Affected ...read more


IBM Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) – CVE-2017-1425

Sep 23, 2017 10:00 am EDT | Medium Severity

IBM BPM reflects untrusted user input without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection. CVE(s): CVE-2017-1425 Affected product(s) and affected version(s): – IBM Business Process Manager V8.0.1.1 – IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Note that release 8.0.1.2, 8.0.1.3, 8.5.5.0, and 8.5.6 ...read more


IBM Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Workload Scheduler

Sep 23, 2017 10:00 am EDT | High Severity

OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM Workload Manager. IBM Workload Manager has addressed the applicable CVEs CVE(s): CVE-2016-6302, CVE-2016-6305, CVE-2016-6303, CVE-2016-6304, CVE-2016-2182, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-2181, CVE-2016-6309, CVE-2016-7052, CVE-2016-2180, CVE-2016-2179, , CVE-2000-1254, , Affected product(s) and affected version(s): TWS uses OpenSSL only for secure communication between internal processes. ...read more


IBM Security Bulletin: API Connect is affected by a vulnerability by which an authenticated user could generate an API token

Sep 22, 2017 10:00 am EDT | Medium Severity

API Connect has addressed the following vulnerability. An authenticated user could be allowed to generate an API token when not subscribed to the application plan. CVE(s): CVE-2017-1555 Affected product(s) and affected version(s): Affected API Connect Affected Versions IBM API Connect 5.0.0.0-5.0.6.3 IBM API Connect 5.0.7.0-5.0.7.2 Refer to the following reference URLs for remediation and additional ...read more


IBM Security Bulletin: API Connect is affected by a Cross Frame Scripting vulnerability CVE-2017-1551

Sep 22, 2017 10:00 am EDT | Medium Severity

API Connect has addressed the following vulnerability. IBM API Connect could allow a remote attacker to hijack the clicking action of the victim. CVE(s): CVE-2017-1551 Affected product(s) and affected version(s): Affected API Connect Affected Versions IBM API Connect 5.0.0.0-5.0.6.3 IBM API Connect 5.0.7.0-5.0.7.2 Refer to the following reference URLs for remediation and additional vulnerability details:Source ...read more


IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor

Sep 22, 2017 10:00 am EDT | High Severity

Security vulnerabilities have been reported for IBM SDK for Node.js. IBM Business Process Manager includes a stand-alone tool for editing configuration properties files that is based IBM SDK for Node.js. CVE(s): CVE-2017-1000381, CVE-2017-11499 Affected product(s) and affected version(s): IBM Business Process Manager V8.5.5.0 – V8.5.7.0 including cumulative fix 2017.06 Refer to the following reference URLs ...read more