IBM Support

JR51503: SECURITY APAR - CVE-2014-4763, CVE-2014-0107 - VULNERABILITIES IN IBM BPM DOCUMENTSTORE ADMINISTRATION

Direct links to fixes

8.5.5.0-WS-BPM-IFJR51503
Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) V8.5.5.0 includes an
web-based application for administering the IBM BPM document
store. A cross-site scripting vulnerability (CVE-2014-4763) and
a vulnerability in an embedded open source library for XML
processing (CVE-2014-0107) have been reported.

Local fix

  • In the administrative console, go  to Applications > Application
Types > WebSphere Enterprise Applications >
IBM_BPM_DocStoreAdmin_<clusterName> > Security role to
user/group mapping and remove all users and groups from the role
mapping.

Problem summary

  • The vulnerable application is required only for IBM Support to
gather additional information. By default, only one
administrative user (deployment environment administrator) may
access the application. You can prevent access to the
application by removing all users and groups from the security
role mapping in this application.

Problem conclusion

  • A fix is available for IBM BPM V8.5.5.0 that updates the
vulnerable administrative user interface to use a fixed version
of the open source library and to properly encode user input to
prevent cross-site scripting.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR51503:

1. Select IBM Business Process Manager with your edition from
  the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.

2. Select APAR or SPR, enter JR51503, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

Temporary fix

  • Not applicable

Comments

  • 



APAR Information




    

  • APAR number
    JR51503
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    855
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2014-10-16
    • 

  • Closed date
    2014-11-17
    • 

  • Last modified date
    2014-11-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R855  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            16 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback