IBM Support

JR51503: SECURITY APAR - CVE-2014-4763, CVE-2014-0107 - VULNERABILITIES IN IBM BPM DOCUMENTSTORE ADMINISTRATION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) V8.5.5.0 includes an
    web-based application for administering the IBM BPM document
    store. A cross-site scripting vulnerability (CVE-2014-4763) and
    a vulnerability in an embedded open source library for XML
    processing (CVE-2014-0107) have been reported.
    

Local fix

  • In the administrative console, go  to Applications > Application
    Types > WebSphere Enterprise Applications >
    IBM_BPM_DocStoreAdmin_<clusterName> > Security role to
    user/group mapping and remove all users and groups from the role
    mapping.
    

Problem summary

  • The vulnerable application is required only for IBM Support to
    gather additional information. By default, only one
    administrative user (deployment environment administrator) may
    access the application. You can prevent access to the
    application by removing all users and groups from the security
    role mapping in this application.
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.5.0 that updates the
    vulnerable administrative user interface to use a fixed version
    of the open source library and to properly encode user input to
    prevent cross-site scripting.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR51503:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR51503, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR51503

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-10-16

  • Closed date

    2014-11-17

  • Last modified date

    2014-11-17

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 November 2014