IBM Support

Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator

Security Bulletin


IBM Business Process Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise.

Vulnerability Details

Review the following security bulletins for IBM Business Process Manager for vulnerability details and information about fixes.

Affected Products and Versions

Principal Product and Version

Affected Supporting Product and Version
IBM Cloud Orchestrator 2.5,, Interim Fix1,
IBM Cloud Orchestrator Enterprise, Interim Fix1,
IBM Business Process Manager Standard 8.5.6
IBM Cloud Orchestrator 2.4,,,

IBM Cloud Orchestrator Enterprise 2.4,,,

IBM Business Process Manager Standard
IBM SmartCloud Orchestrator 2.3 and

IBM SmartCloud Orchestrator Enterprise 2.3 and

IBM Business Process Manager Standard 8.5

Get Notified about Future Security Bulletins



Change History

* 20 May 2016: Last update new bulletin
* 20 May 2016: Added bulletin as for Java CPU April 2016
* 30 April 2015: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Internal Use Only

Update October 2016 Added CVE Ids: CVE-2016-5901, CVE-2016-3056, CVE-2014-9748, CVE-2016-1669,
CVE-2016-1181, CVE-2016-1182, CVE-2015-0899
CVE-2016-0359, CVE-2016-0377, CVE-2016-0385, CVE-2016-1181, CVE-2016-1182, CVE-2016-2960, CVE-2016-3485, CVE-2016-3092,CVE-2016-5986, CVE-2016-5983

Update July Added CVE ID: CVE-2015-0254
Update May Added CVE ID: CVE-2016-3426, CVE-2016-3427

CVE-2016-0227, CVE-2015-8524, CVE-2015-7463,
CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448,
CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006, CVE-2015-4955, CVE-2013-5452,

CVE-2015-2808, CVE-2015-0138 CVE-2014-6593 CVE-2015-0400 CVE-2015-0410, CVE-2014-6512, CVE-2014-6457, CVE-2014-6558, CVE-2014-3566, CVE-2014-8730, CVE-2015-0193, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-1920, CVE-2015-0488, CVE-2015-0478, CVE-2015-1916, CVE-2015-0204, CVE-2015-0138, CVE-2015-2808 CVE-2015-4000, CVE-2015-5531, CVE-2015-5377, CVE-2015-1904, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-0193, CVE-2015-1946, CVE-2015-7417, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872, CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196,

(BPM-configuration Editor)
CVE-2014-3569; CVE-2014-3570; CVE-2014-3571; CVE-2014-3572; CVE-2014-8275; CVE-2015-0204; CVE-2015-0205; CVE-2015-0206

CVEs: CVE-2016-0227, CVE-2015-8524, CVE-2015-7463, CVE-2016-0483,

Added CVEID: CVE-2015-7407, CVE-2015-7400, CVE-2015-7454

NOTE: I have cleaned up Change history , as I think too many updates the text has become unsuitable/unreadable for the web.
I have kept the last update for new bulletins.

Change history

08 February 2016: Added 3 new bulletins
* 11 December 2015: Added links to CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734 and CVE-2015-5006
* 27 October 2015: Added links to CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206
* 13 October 2015: Added link to Dojo bulletin
* 05 October 2015: Add link to new bulletins
* 18 September 2015: Added link to WebSphere Application Server Security Bulletin in Related information
* 19 August 2015: Added links about IBM SDK Java™ July 2015 CPU, and Missing Authorization on top of vulnerability details
* 14 August 2015: Added links about ElasticSearch
* 29 July 2015: Added links about IBM SDK Java™ April 2015 CPU and Cross Site Scripting
* 13 July 2015: Added link about Diffie-Hellman ciphers on top of vulnerability section

[{"Product":{"code":"SS4KMC","label":"IBM Cloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"}],"Version":"2.3;;2.4;;;;2.5;;","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
17 June 2018