IBM Support

JR57149: SECURITY APAR - CVE-2016-9693 - CAUSES MALICIOUS FILE DOWNLOAD AND RESTRICTS BYPASSING FILE TYPES IN IBM BPM

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2016-9693
    DESCRIPTION: IBM Business Process Manager has a file download
    capability that is vulnerable to a set of attacks. Ultimately,
    an attacker can cause an unauthenticated victim to download a
    malicious payload. An existing file type restriction can be
    bypassed so that the payload might be considered executable and
    cause damage on the victim's machine.
    CVSS Base Score: 7.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/119517 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
    

Local fix

Problem summary

  • Because of how the "download in CSV (comma separated values)
    format" function in IBM BPM was implemented, a browser sends all
    data to the server and expects the same data back as a
    downloadable stream. The server-side URL is vulnerable because
    of
    
    - insufficient authorization (available for anonymous users)
    - insufficient file extension checking (possibility to bypass
     the .csv file extension restriction)
    - accepting GET requests that can easily be sent to victims in a
     chat or email
    
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Problem conclusion

  • A fix is available for the latest fix pack of all supported IBM
    BPM releases: 7.5.1.2, 8.0.1.3, 8.5.0.2, 8.5.5.0, 8.5.6.0 CF02,
    and 8.5.7.0 CF 2016.12. The fix will also be included in IBM BPM
    8.5.7.0 CF 2017.03.
    
    This fix by default completely disables the vulnerable URL and
    updates all IBM BPM product components that cause requests to
    this URL to use the client-side JavaScript instead.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR57149:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR57149, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR57149

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    857

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-12-09

  • Closed date

    2017-02-24

  • Last modified date

    2017-02-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

  • R856 PSY

       UP

  • R857 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
16 October 2021