IBM Support

JR50241: CROSS SITE SCRIPTING VULNERABILITY IN PROCESS INSPECTOR

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A cross-site scripting exposure occurs in Process Inspector
    where scripting text can be injected to cause manipulated
    responses or obtain sensitive information.
    
    On 8501 this can be regressed by JR51636 and fixed by JR49363.
    Please download JR49363 to obtain this fix.
    

Local fix

Problem summary

  • The system is vulnerable to persistent Cross-Site Scripting
    attack. This vulnerability stems from missing validation and
    encoding on input received from the system's data source while
    using this input in order to generate dynamic web pages.
    You can use Escalate Task function in Process Inspector to
    inject scripting language into the request.
    
    
    *UPDATE(May.12,2015)* This fix has been superseded by JR49363 on
    v8.5.0.1. Please download JR49363 to obtain this fix.
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.0.1. The request input is
    now validated with a proper error message returned with the
    input string escaped correctly.
    
    *UPDATE(May.12,2015)* This fix has been superseded by JR49363 on
    v8.5.0.1. Please download JR49363 to obtain this fix.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR49363:
    
    1.Select IBM Business Process Manager with your edition from the
    product selector, the installed version to the fix pack level,
    and your platform, and then click Continue.
    2.Select APAR or SPR, enter JR49363, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR50241

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-15

  • Closed date

    2014-07-28

  • Last modified date

    2015-05-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
12 May 2015