IBM Support

JR51163: SECURITY APAR CVE-2014-5256 - OPEN SOURCE NODE.JS VULNERABILITY IN CONFIGURATION EDITOR

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Security vulnerabilities have been reported for Node.js.
    CVE-2014-5256 affects IBM Business Process Manager (BPM) users
    because IBM BPM includes a stand-alone tool for editing
    configuration properties files that is based on open source
    Node.js technology
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM BPM Advanced                            *
    *                  IBM BPM Standard                            *
    *                  IBM BPM Express                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: Security vulnerabilities have been      *
    *                      reported for Node.js. CVE-2014-5256     *
    *                      affects IBM Business Process Manager    *
    *                      (BPM) users because IBM BPM includes    *
    *                      a stand-alone tool for editing          *
    *                      configuration properties files that     *
    *                      is based on open source Node.js         *
    *                      technology.                             *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    Several security vulnerabilities have been reported in
    Node.js. CVE-2014-5256 is the security vulnerability that can
    affect IBM BPM. For more information, see "Security Bulletin:
    A security vulnerability in Node.js affects the IBM Business
    Process Manager (BPM) configuration editor (CVE-2014-5256)"
    (http://www.ibm.com/support/docview.wss?uid=swg21684769).
    Other resources for information about this security
    vulnerability are
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256
    and http://xforce.iss.net/xforce/xfdb/95057.
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.5 that replaces the
    vulnerable open source library.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR51163:
    
     1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
     2. Select APAR or SPR, enter JR51163, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR51163

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-09-03

  • Closed date

    2014-10-15

  • Last modified date

    2014-10-15

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 October 2014