JR57055: SECURITY APAR - CVE-2016-9731 - CROSS-SITE SCRIPTING (XSS) VULNERABILITY IN RESPONSIVE COACHVIEW

bpm.8570.cf2016.12.delta.repository
Downloading IBM Business Process Manager V8.5.7 Cumulative Fix 2016.12

APAR status

• Closed as program error.

Error description

• When the Table coach view loads, it displays cells as HTML,
  which might allow scripts to run.
  
  CVEID:CVE-2016-9731
  DESCRIPTION:IBM Business Process Manager is vulnerable to
  cross-site scripting. This vulnerability allows users to embed
  arbitrary JavaScript code in the web UI, thus altering the
  intended functionality potentially leading to credentials
  disclosure within a trusted session.
  CVSS Base Score: 5.4
  CVSS Temporal Score:
  See https://exchange.xforce.ibmcloud.com/vulnerabilities/119760 
  for the current score
  CVSS Environmental Score*: Undefined
  CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
  
  PRODUCTS AFFECTED
  IBM Business Process Manager (BPM) Advanced
  IBM BPM Standard
  IBM BPM Express
  

Local fix

Problem summary

• No additional information is available.
  

Problem conclusion

• A fix will be included in IBM BPM V8.5.7 cumulative fix 2016.12
  that ensures proper encoding to prevent XSS inside responsive
  Table coach view.
  
  To determine whether the cumulative fix is available and
  download it if it is, complete the following steps on Fix
  Central:
  
  1. On the Select product tab, select WebSphere as the product
  group, IBM Business Process Manager with your edition from the
  WebSphere options, All as the installed version, and All as the
  platform, and then click Continue.
  2. In the Text field, enter "cumulative fix", and click
  Continue.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM ADVANCED

• Fixed component ID

  5725C9400

Applicable component levels

• R857 PSY

     UP