IBM Support

JR52355: SECURITY APAR CVE-2015-0158 - CROSS-SITE SCRIPTING VULNERABILITYIN IBM BPM COACH NG FRAMEWORK

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The IBM Business Process Manager (BPM) coach NG framework is
    vulnerable to cross-site scripting because user-supplied input
    is handled improperly. A remote attacker might exploit this
    vulnerability by using a specially crafted URL to run a script
    in a user's web browser within the security context of the
    hosting website after the user clicks the URL. An attacker might
    use this vulnerability to steal the user's cookie-based
    authentication credentials.
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix is available for IBM BPM V8.0.1.3 that replaces a detailed
    error message that contained unescaped user-supplied input with
    a generic error message.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR52355:
    
        1. Select IBM Business Process Manager with your edition
    from the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
        2. Select APAR or SPR, enter JR52355, and click Continue.
    
    A fix is also available for IBM BPM V8.5.0.1. The fix for this
    APAR on 8.5.0.1 has been superseded and included in cumulative
    fix for JR52322 . To obtain, following the instruction above,
    substituting the APAR id with JR52322.
    
    A fix is also available for IBM BPM V8.5.5.0. The fix for this
    APAR on 8.5.5.0 has been superseded and included in cumulative
    fix for JR52137 . To obtain, following the instruction above,
    substituting the APAR id with JR52137.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR52355

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    801

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-01-19

  • Closed date

    2015-03-12

  • Last modified date

    2015-03-12

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP



Document information

More support for: IBM Business Process Manager Advanced

Software version: 8.0.1

Reference #: JR52355

Modified date: 12 March 2015