IBM Support

JR49990: SECURITY APAR CVE-2014-0957 - SCRIPT INJECTION ON CALLSERVICE.DO AND STACK TRACE UNNECESSARILY SHOWN TO END USER

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • When you invoke a service by using a URL, user input or
    sensitive data might be returned in unhandled service failure
    situations, causing cross-site scripting or disclosing sensitive
     information.
    
    PRODUCTS AFFECTED:
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • You might click links that inject scripts in callService.do by
    using a JavaScript or XML entity in the service input
    parameters. Scripts can be returned to end users.
    

Problem conclusion

  • A fix for IBM BPM is available that fixes the script injection
    and information disclosure vulnerabilities by preventing
    detailed error information from being returned to an end user's
    browser.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR49990:
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR49990, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR49990

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-04-15

  • Closed date

    2014-07-14

  • Last modified date

    2014-07-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R850 PSY

       UP



Document information

More support for: IBM Business Process Manager Standard

Software version: 8.5

Reference #: JR49990

Modified date: 30 July 2014