Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)

Security Bulletin

Summary

Business Space is a user interface framework that is available in WebSphere Process Server and IBM Business Process Manager (BPM). In IBM BPM Express Edition and Standard Edition the framework is not used directly by end users, however, it is still available and contributes parts of the Process Portal experience.

Multiple security vulnerabilities have been reported for Business Space. IBM has addressed the vulnerabilities in WebSphere Process Server and IBM Business Process Manager as described below.

Vulnerability Details

CVEID: CVE-2015-7407
DESCRIPTION: IBM Mashups is vulnerable to Server Side Request Forgery. A remote attacker might use specially crafted HTTP requests to IBM Mashups in order to make the Mashups servers call other reachable HTTP services in its network.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107433 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2015-7400
DESCRIPTION: IBM Business Process Manager is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107105 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7454
DESCRIPTION: IBM Business Process Manager could allow an authenticated user to create pages and spaces that they should not have access to due to improper access restrictions.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108333 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

WebSphere Process Server V6.1.2.0 - V7.0.0.5
IBM Business Process Manager Advanced V7.5.0.0 - V7.5.1.2
IBM Business Process Manager Advanced V8.0.0.0 - V8.0.1.3
IBM Business Process Manager Advanced V8.5.0.0 - V8.5.6.0

Remediation/Fixes

Install IBM Business Process Manager interim fix JR54678 as appropriate for your current IBM Business Process Manager version.

Please note that JR55592 was made available for download (but not officially announced in a security bulletin) to address CVE-2014-8912. On BPM V8.0 and later, JR55592 overwrites some of the changes of JR54678 and thus reintroduces CVE-2015-7400. The correct fix for CVE-2014-8912 is JR56078 which supersedes JR55592 as announced in Security Bulletin: Security vulnerability in Business Space affects IBM Business Process Manager and WebSphere Process Server (CVE-2014-8912).

For any version of WebSphere Prcoess Server, IBM recommends upgrading to a fixed, supported version/release/platform of the IBM Business Process Manager Advanced.

Workarounds and Mitigations

Not applicable

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

04 Mar 2016: initial version published
28 Jul 2016: removed "V8.0 and later" as fixes for V7.5 have been published.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.6;8.5.5;8.5.0.2;8.5.0.1;8.5;8.0.1.3;8.0.1.2;8.0.1.1;8.0.1;8.0;7.5.1.2;7.5.1.1;7.5.1;7.5.0.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6;8.5.5;8.5.0.2;8.5.0.1;8.5;8.0.1.3;8.0.1.2;8.0.1.1;8.0.1;8.0;7.5.1.2;7.5.1.1;7.5.1;7.5.0.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6;8.5.5;8.5.0.2;8.5.0.1;8.5;8.0.1.3;8.0.1.2;8.0.1.1;8.0.1;8.0;7.5.1.2;7.5.1.1;7.5.1;7.5.0.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSQH9M","label":"WebSphere Process Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.5;7.0.0.4;7.0.0.3;7.0.0.2;7.0.0.1;7.0;6.2.0.3;6.2.0.2;6.2.0.1;6.2;6.1.2.3;6.1.2.2;6.1.2.1;6.1.2","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Tips

Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)