Direct links to fixes
Closed as program error.
CVEID: CVE-2017-1159 DESCRIPTION: IBM Business Process Manager (BPM) could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. CVSS Base Score: 7.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122891 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
No additional information is available. PRODUCTS AFFECTED IBM BPM Advanced IBM BPM Standard IBM BPM Express
A fix that ensures redirects are always relative, meaning that they are on the same server, is available for the IBM BPM V220.127.116.11, V18.104.22.168, and V22.214.171.124 fix packs and IBM BPM V8.5.7 cumulative fix 2017.03. Note: A fix for IBM BPM V8.5.7 cumulative fix (CF) 2017.03 is available even though IBM BPM V8.5.7 CF 2017.03 is not vulnerable to this security issue. The intention of this interim fix is to prevent the following unnecessary warning message in IBM Installation Manager, which you see when you upgrade IBM BPM: "One or more fixes will be uninstalled when IBM(R) Business Process Manager <Advanced | Standard | Express> is updated to 8.5.7. CF2017.03. The update does not address issues that were resolved previously by the maintenance packages. The problems might return if fixes for the following issues are not reapplied or have new fixes applied to prevent the problems from returning. - JR57478 in the package IBM(R) Business Process Manager <Advanced | Standard | Express> 8.5..."
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels
17 October 2017