No software is bug-free, BPM is no exception here. And of course this not only applies to the BPM product code that was developed by IBM, but also to 3rd party components that are either bundled with or required by BPM, such as
- IBM SDK for Java
- IBM WebSphere Application Server
- various open source libraries (such as Dojo) that are shipped in many places of the product.
The good news is that we at IBM are determined to protect our customers and fix security vulnerabilities that are found and publish a disclosure ("security bulletin").
For any software you run in production, fixes, fix packs and configuration recommendations are published and you should make every effort to keep up to speed with these publications and patch your (production) system if necessary. There are three basic actions you need to take for your BPM environments:
1) Make sure to run the latest fixpack of your supported release
As stated earlier: IBM takes security vulnerabilities in supported products very seriously. They will all be treated in compliance with our documented product incidence process (PSIRT).
For BPM, security fixes to close vulnerabilities are made available on the latest fixpack of every supported (and affected) release at the day when a security bulletin disclosing the vulnerability is published.
Remember the version scheme is Version.Release.Modlevel.Fixpack. As we know customers cannot always move up to newer modification levels, we continue to provide fixes for some code streams for some time. In practice, many security fixes in the code base that originates from the former Lombardi world are made available for
- WebSphere Lombardi Edition 22.214.171.124
- IBM Business Process Manager 126.96.36.199
- IBM Business Process Manager 188.8.131.52
- IBM Business Process Manager 184.108.40.206
- IBM Business Process Manager 220.127.116.11
- IBM Business Process Manager 18.104.22.168 on top of latest cumulative fix CF2
- IBM Business Process Manager 22.214.171.124 on top of latest cumulative fix 2017.06
- IBM Business Process Manager 126.96.36.199 on top of latest cumulative fix
As announced in Product maintenance strategy for IBM Business Process Manager V188.8.131.52 and later we have moved to a cumulative fix strategy. The same statements about being on latest apply to cumulative fixes. A fix to close a vulnerability on e.g. V184.108.40.206609 will be provided on top of the latest cumulative fix (2017.06) and rolled up in the next cumulative fix of the 8.6 stream.
From a security perspective, there is no excuse for being on a version like 220.127.116.11 or 18.104.22.168, 22.214.171.124 or even 126.96.36.199703 without having plans to move up.
For product releases that are out of general support (that is: 8.0 and earlier), fixes will be produced and are available per request by customers entitled by service extension contracts. For products in general support, all fixes are proactively published to fix central and live repository.
2) Get available security fixes
If you set up a brand new environment, please ensure to install all available security fixes for the version you just installed. Ideally, you do that right after installation prior to create a deployment environment. While we target to mark all security fixes as "recommended", there can be cases where this is only possible for fix central downloads, but not in the live repository for Installation Manager. This can be due to post installation actions.
The recommended approach to find available security fixes is to go to the IBM Support Portal, select your product and version and hit "Go". On the resulting page, there is a link to "Flashes, alerts and bulletins".
It is important to note that security bulletins for bundled products are published for vulnerabilities with high media coverage (like recent SSL vulnerabilities Heartbleed, POODLE or FREAK). In the case of BPM, please also look at security bulletins for IBM WebSphere Application Server (WAS) which is the technology base underneath BPM. Given the BPM product structure, you can apply WebSphere Application Server fixes and fixpacks to your BPM environment. There is no need to wait for a "BPM repackaged fix for WAS".
In order to minimize the number of maintenance windows for security patch install, shipment of security fixes and publication of security bulletins is consolidated as much as reasonable. Typically, you'll see a bulk publication on the day of shipment of a new cumulative fix or release.
3) Subscribe to future security bulletins
You do not need to visit IBM Support Portal every day to check if new security bulletins have been published. There is subscription feature that lets you select all your IBM products and register for email notification for any flashes and security bulletins.
Again, make sure to not only subscribe to BPM, but also WebSphere Application Server - and in case you are using additional IBM products like DB2, IBM Security Directory Server and IBM HTTP Server, make sure to subscribe for those as well.