IBM Support

JR53955: SECURITY APAR CVE-2015-5377, CVE-2015-5531 IN ELASTICSEARCH AFFECTING IBM PROCESS FEDERATION SERVER

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Vulnerabilities in Elasticsearch  (CVE-2015-5377 and
    CVE-2015-5531) have been reported that affect IBM Process
    Federation Server. For more information about these
    vulnerabilities, refer to the "Security Bulletin: Multiple
    security vulnerabilities in Elasticsearch might affect Process
    Federation Server in IBM Business Process Manager (BPM) -
    CVE-2015-5531, CVE-2015-5377"
    (http://www.ibm.com/support/docview.wss?uid=swg21964010).
    
    Additionally, the Elasticsearch TCP port does not have an
    authorization check.
    
    PRODUCTS AFFECTED
    IBM BPM Advanced
    IBM BPM Standard
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix is available for Process Federation Server in IBM BPM
    V8.5.6.0 that fixes the security vulnerabilities. The fix
    upgrades the version of Elasticsearch to address these two
    vulnerabilities, but it also introduces a security safeguard
    that enforces authentication when Elasticsearch cluster members
    communicate with each other by using their proprietary transport
     protocol. This additional safeguard  helps protect Process
    Federation Server users from potential future vulnerabilities.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR55454. Interim fix JR55454 contains interim fix JR53955.
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR55454, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR53955

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    856

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-07-30

  • Closed date

    2016-03-31

  • Last modified date

    2016-04-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
04 September 2023