IBM Support

JR52288: SECURITY APAR CVE-2015-1164 - OPEN REDIRECT VULNERABILITY IN NODE.JS AFFECTS IBM BPM CONFIGURATION EDITOR

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The CVE-2015-1164 security vulnerability has been reported for
    a dependent "express" Node.js module. CVE-2015-1164 affects
    IBM Business Process Manager (BPM) because IBM BPM includes a
    stand-alone tool for editing configuration properties files
    that is based on open source Node.js technology.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM BPM Advanced                            *
    *                  IBM BPM Standard                            *
    *                  IBM BPM Express                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The CVE-2015-1164 security              *
    *                      vulnerability has been reported for a   *
    *                      dependent "express" Node.js module.     *
    *                      CVE-2015-1164 affects IBM Business      *
    *                      Process Manager (BPM) because IBM BPM   *
    *                      includes a stand-alone tool for         *
    *                      editing configuration properties        *
    *                      files that is based on open source      *
    *                      Node.js technology.                     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    The Configuration editor might be vulnerable to an open
    redirect vulnerability because of embedded open source
    software.
    

Problem conclusion

  • A fix for IBM BPM V8.5.5.0 is available that updates the
    Configuration editor to use a open source library version that
    fixes this open redirect vulnerability.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR52288:
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR52288, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR52288

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-01-16

  • Closed date

    2015-02-09

  • Last modified date

    2015-02-09

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
09 February 2015