IBM Support

JR57055: SECURITY APAR - CVE-2016-9731 - CROSS-SITE SCRIPTING (XSS) VULNERABILITY IN RESPONSIVE COACHVIEW

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When the Table coach view loads, it displays cells as HTML,
    which might allow scripts to run.
    
    CVEID:CVE-2016-9731
    DESCRIPTION:IBM Business Process Manager is vulnerable to
    cross-site scripting. This vulnerability allows users to embed
    arbitrary JavaScript code in the web UI, thus altering the
    intended functionality potentially leading to credentials
    disclosure within a trusted session.
    CVSS Base Score: 5.4
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/119760 
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix will be included in IBM BPM V8.5.7 cumulative fix 2016.12
    that ensures proper encoding to prevent XSS inside responsive
    Table coach view.
    
    To determine whether the cumulative fix is available and
    download it if it is, complete the following steps on Fix
    Central:
    
    1. On the Select product tab, select WebSphere as the product
    group, IBM Business Process Manager with your edition from the
    WebSphere options, All as the installed version, and All as the
    platform, and then click Continue.
    2. In the Text field, enter "cumulative fix", and click
    Continue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR57055

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    857

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-12-01

  • Closed date

    2017-01-05

  • Last modified date

    2017-02-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R857 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
23 February 2017