IBM Support

JR52893: SECURITY APAR - CVE-2015-0204 - IBM BPM CONFIG EDITOR AFFECTED BY FREAK VULNERABILITY FROM NODE.JS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The OpenSSL Project disclosed OpenSSL vulnerabilities,
    including the  ᄁ¬ツᆲ モFREAK: Factoring Attack on RSA-EXPORT keys"
    TLS/SSL client and server vulnerability, on January 8, 2015.
    The IBM SDK for Node.js, which the IBM Business Process
    Manager (BPM) Configuration editor uses, uses OpenSSL. The
    applicable CVEs have been addressed in the IBM BPM
    Configuration editor.
    

Local fix

  • N/A
    

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  IBM BPM Advanced                            *
    *                  IBM BPM Standard                            *
    *                  IBM BPM Express                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The OpenSSL Project disclosed OpenSSL   *
    *                      vulnerabilities, including the          *
    *                       ¢â‚¬ “FREAK: Factoring Attack on
    *                      RSA-EXPORT keys" TLS/SSL client and     *
    *                      server vulnerability, on January 8,     *
    *                      2015. The IBM SDK for Node.js, which    *
    *                      the IBM Business Process Manager        *
    *                      (BPM) Configuration editor uses, uses   *
    *                      OpenSSL. The applicable CVEs have       *
    *                      been addressed in the IBM BPM           *
    *                      Configuration editor.                   *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    No additional information available.
    

Problem conclusion

  • A fix for IBM BPM V8.5.5.0 and 8.5.6.0 is available that
    updates the Configuration editor to use an updated version of
    IBM SDK for Node.js.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR52893:
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR52893, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR52893

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-03-22

  • Closed date

    2015-04-20

  • Last modified date

    2015-04-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R800 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
30 April 2015