A fix is available
APAR status
Closed as program error.
Error description
Security vulnerabilities have been reported for Node.js. CVE-2014-5256 affects IBM Business Process Manager (BPM) users because IBM BPM includes a stand-alone tool for editing configuration properties files that is based on open source Node.js technology
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM BPM Advanced * * IBM BPM Standard * * IBM BPM Express * **************************************************************** * PROBLEM DESCRIPTION: Security vulnerabilities have been * * reported for Node.js. CVE-2014-5256 * * affects IBM Business Process Manager * * (BPM) users because IBM BPM includes * * a stand-alone tool for editing * * configuration properties files that * * is based on open source Node.js * * technology. * **************************************************************** * RECOMMENDATION: * **************************************************************** Several security vulnerabilities have been reported in Node.js. CVE-2014-5256 is the security vulnerability that can affect IBM BPM. For more information, see "Security Bulletin: A security vulnerability in Node.js affects the IBM Business Process Manager (BPM) configuration editor (CVE-2014-5256)" (http://www.ibm.com/support/docview.wss?uid=swg21684769). Other resources for information about this security vulnerability are https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5256 and http://xforce.iss.net/xforce/xfdb/95057.
Problem conclusion
A fix is available for IBM BPM V8.5.5 that replaces the vulnerable open source library. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR51163: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR51163, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR51163
Reported component name
BPM ADVANCED
Reported component ID
5725C9400
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-09-03
Closed date
2014-10-15
Last modified date
2014-10-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM ADVANCED
Fixed component ID
5725C9400
Applicable component levels
R800 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
16 October 2021