IBM Support

JR58611: SECURITY APAR - CVE-2016-1000031 - REMOTE CODE EXECUTION VULNERABILITY IN APACHE COMMONS FILEUPLOAD MIGHT AFFECT IBM BPM

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

Direct links to fixes

bpm.8600.cf2017.12.delta.repository
8.5.0.2-WS-BPM-IFJR58611
8.5.5.0-WS-BPM-IFJR58611
8.5.6.2-WS-BPM-IFJR58611
8.6.0.0-WS-BPM-IFJR58611
8.5.7.201706-WS-BPM-IFJR58611

 

APAR status

  • Closed as program error.

Error description

  • A class in Apache Commons FileUpload contains code that triggers
code execution as part of deserialization. The Apache Commons
FileUpload library exists in IBM Business Process Manager (BPM)
and makes this class available on the class path. If any code in
 IBM BPM deserializes Java objects from an ObjectInputStream,
this code is vulnerable to remote code execution.
Deserialization can occur implicitly in various data handlers
and even explicitly in your own code in your process
applications.

CVEID: CVE-2016-1000031
DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ
Sentinel and other products, could allow a remote attacker to
execute arbitrary code on the system, caused by deserialization
of untrusted data in DiskFileItem class of the FileUpload
library. A remote attacker could exploit this vulnerability to
execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/117957 
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Local fix

  • 



Problem summary


    

  • No additional information is available.

PRODUCTS AFFECTED
IBM BPM V8.6
IBM BPM Advanced
IBM BPM Standard
IBM BPM Express
IBM BPM ESB

    



Problem conclusion


    

  • A fix is available for IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2,
V8.5.5.0, V8.5.6.0 cumulative fix (CF) 02, V8.5.7 CF2017.06,
V8.6 and will be included in the next cumulative fix for IBM BPM
 V8.6.0.0 that upgrades Apache Commons FileUpload to remove the
dangerous class from the class path.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR58611
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    857
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-10-30
    • 

  • Closed date
    2018-01-12
    • 

  • Last modified date
    2018-01-12
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 January 2018
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback