IBM Support

JR57397: SECURITY CVE-2017-1140 - PERSISTENT CROSS-SITE SCRIPTING VULNERABILITY IN PROCESS PORTAL

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2017-1140
    DESCRIPTION: IBM Business Process Manager (BPM) is vulnerable to
    cross-site scripting. This vulnerability allows users to embed
    arbitrary JavaScript code in the web UI thus altering the
    intended functionality potentially leading to credentials
    disclosure within a trusted session.
    CVSS Base Score: 5.4
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/121905 
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
    
    PRODUCTS AFFECTED
    IBM BPM Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • Because user input is insufficiently neutralized, a user can
    enter data that contains a script that can later run in another
    user's browser while displaying the first user's data.
    

Problem conclusion

  • A fix is available for the latest fix pack of all supported IBM
    BPM releases: 8.0.1.3, 8.5.0.2, 8.5.5.0, 8.5.6.0 CF02, and will
    also be included in IBM BPM 8.5.7.0 CF 2017.03.
    
    This fix by default completely disables the vulnerable URL and
    updates all IBM BPM product components that cause requests to
    this URL to use the client-side JavaScript instead.
    

Temporary fix

  • Not applicable.
    

Comments

APAR Information

  • APAR number

    JR57397

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-09

  • Closed date

    2017-03-31

  • Last modified date

    2017-03-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
31 March 2017