Direct links to fixes
APAR status
Closed as program error.
Error description
The CVE-2015-1164 security vulnerability has been reported for a dependent "express" Node.js module. CVE-2015-1164 affects IBM Business Process Manager (BPM) because IBM BPM includes a stand-alone tool for editing configuration properties files that is based on open source Node.js technology.
Local fix
N/A
Problem summary
**************************************************************** * USERS AFFECTED: IBM BPM Advanced * * IBM BPM Standard * * IBM BPM Express * **************************************************************** * PROBLEM DESCRIPTION: The CVE-2015-1164 security * * vulnerability has been reported for a * * dependent "express" Node.js module. * * CVE-2015-1164 affects IBM Business * * Process Manager (BPM) because IBM BPM * * includes a stand-alone tool for * * editing configuration properties * * files that is based on open source * * Node.js technology. * **************************************************************** * RECOMMENDATION: * **************************************************************** The Configuration editor might be vulnerable to an open redirect vulnerability because of embedded open source software.
Problem conclusion
A fix for IBM BPM V8.5.5.0 is available that updates the Configuration editor to use a open source library version that fixes this open redirect vulnerability. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR52288: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR52288, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR52288
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-01-16
Closed date
2015-02-09
Last modified date
2015-02-09
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 October 2021