JR58405: SECURITY APAR CVE-2017-1159 - INTERIM FIX JR57478 DOESN'T PREVENT VULNERABILITY OF IBM BPM TO THIS SECURITY ISSUE

bpm.8600.cf2017.12.delta.repository
8.5.5.0-WS-BPM-IFJR58405
8.5.6.2-WS-BPM-IFJR58405
8.5.7.201703-WS-BPM-IFJR58405

APAR status

• Closed as program error.

Error description

• Interim Fix JR57478 contains all files to fix security APAR
  CVE-2017-1159:
  
  CVEID: CVE-2017-1159
  DESCRIPTION: IBM Business Process Manager (BPM) could allow a
  remote attacker to conduct phishing attacks, using an open
  redirect attack. By persuading a victim to visit a
  specially-crafted web site, a remote attacker could exploit this
  vulnerability to spoof the URL displayed to redirect a user to a
  malicious web site that would appear to be trusted. This could
  allow the attacker to obtain highly sensitive information or
  conduct further attacks against the victim.
  CVSS Base Score: 7.4
  CVSS Temporal Score: See
  https://exchange.xforce.ibmcloud.com/vulnerabilities/122891 for
  the current score
  CVSS Environmental Score*: Undefined
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
  
  However, interim fix JR57478 doesn't ensure the fixes are copied
  to all relevant places. After installing interim fix JR57478,
  IBM Business Process Manager (BPM) is still vulnerable.
  
  PRODUCTS AFFECTED
  IBM BPM Advanced
  IBM BPM Standard
  IBM BPM Express
  IBM BPM
  

Local fix

Problem summary

• No additional information is available.
  

Problem conclusion

• A fix that ensures redirects are always relative, meaning that
  they are on the same server, is available for the IBM BPM
  V8.5.5.0, V8.5.6.2 fix packs and is included in IBM BPM V8.5.7
  cumulative fix (CF) 2017.03.
  
  Note: A fix for IBM BPM V8.5.7 CF2017.03 is available even
  though IBM BPM V8.5.7 CF2017.03 is not vulnerable to this
  security issue because this interim fix prevents the following
  unnecessary warning message in IBM Installation Manager, which
  you see when you upgrade IBM BPM:
  
  "One or more fixes will be uninstalled when IBM(R) Business
  Process Manager <Advanced | Standard | Express> is updated to
  8.5.7. CF2017.03. The update does not address issues that were
  resolved previously by the maintenance packages. The problems
  might return if fixes for the the following issues are not
  reapplied or have new fixes applied to prevent the problems from
  returning.
    - JR57478 in the package IBM(R) Business Process Manager
  <Advanced | Standard | Express> 8.5..."
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM STANDARD

• Fixed component ID

  5725C9500

Applicable component levels

• R857 PSY

     UP