IBM Support

JR57282: SECURITY APAR - CVE-2013-5462 CLICKJACKING VULNERABILITY IN THE ADMIN CONSOLE FOR CONTENT ENGINE (ACCE) MIGHT AFFECT IBM BPM

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2013-5462
    DESCRIPTION: The IBM Content Navigator application URL can be
    opened within a frame in a web page. In this context it is
    possible for the containing parent frame to record user input to
    the contained frame, capturing sensitive information like login
    credentials. The attack requires that a user be tricked into
    opening a page provided by an attacker.
    CVSS Base Score: 4.3
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/88358 f
    or the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
    

Local fix

Problem summary

  • No additional information is available.
    
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.5.0 that updates the
    vulnerable embedded component to a fixed version.
    
    No other versions of IBM BPM are affected.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR57282

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-01-31

  • Closed date

    2017-02-24

  • Last modified date

    2017-02-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
24 February 2017