IBM Support

JR52626: SECURITY APAR CVE-2015-0193 - RESOLVE CROSS-SITE SCRIPTING (XSS)AND STACK TRACES ON IBM PROCESS PORTAL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) is vulnerable to cross-site
    scripting (XSS) because user-supplied input is improperly
    neutralized in some error situations. A remote attacker could
    exploit this vulnerability by using a specially crafted URL to
    run a script in your web browser within the security context of
    the hosting web site when the URL is clicked. An attacker could
    use this vulnerability to steal your cookie-based authentication
    credentials.
    
    PRODUCTS AFFECTED
    IBM BPM Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • IBM Process Portal might return unvalidated user input in some
    error situations, which results in a cross-site scripting (XSS)
    vulnerability if the user-supplied input contains an executable
    script.
    

Problem conclusion

  • A fix will be available for the latest fix pack of all supported
    and affected releases that replace the stack traces with
    generic messages.
    
    To see if a fix is available for your release, go to Fix Central
    (http://www.ibm.com/support/fixcentral) and search for JR52626:
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR52626, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR52626

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    751

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-02-19

  • Closed date

    2015-05-27

  • Last modified date

    2015-05-27

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R751 PSY

       UP

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
27 May 2015