IBM Support

JR51507: SECURITY APAR CVE-2014-6101 - CROSS-SITE-SCRIPTING VULNERABILITY IN IBM BPM WHEN YOU USE REDIRECT-LOGIN MECHANISM

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) and IBM WebSphere Lombardi
    Edition use a redirect-login mechanism that allows a user to
    automatically (non-interactively) log in based on previously
    submitted credentials. You use this capability, for example,
    when you launch coaches from within Process Inspector. However,
    this redirect-login mechanism is vulnerable to
    cross-site-scripting attacks, potentially enabling attackers to
    run code in a user's browser.
    

Local fix

Problem summary

  • The redirect-login mechanism sends a login page to a user's
    browser. This page is then automatically submitted by the
    browser back to the server, without the user interacting with
    it. The vulnerability allows an attacker to construct a
    malicious URL that injects code into this login page and that
    code runs in the user's browser.
    

Problem conclusion

  • A fix is available for IBM BPM V7.5, V8.0, and earlier
    unsupported versions. This fix removes the vulnerability.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR51507:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR51507, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR51507

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    751

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-10-14

  • Closed date

    2014-10-30

  • Last modified date

    2014-10-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R751 PSY

       UP

  • R801 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
30 October 2014