IBM Support

JR54678: SECURITY APAR - SECURITY VULNERABILITIES EXIST IN BUSINESS SPACE CVE-2015-7400, CVE-2015-7407, CVE-2015-7454, CVE-2014-8912

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Multiple security vulnerabilities exist in IBM Business Space:
    
    CVE-2015-7400 - XML external entity expansion vulnerability
    CVE-2015-7407 - Server Side Request Forgery
    CVE-2015-7454 - Incomplete implementation of LOCKEDDOWN mode
    CVE-2014-8912 - Authorization bypass in Mashups
    
    You cannot disable the user search function for non-privileged
    users.
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • CVEID: CVE-2015-7400
    DESCRIPTION: IBM Business Process Manager is vulnerable to a
    denial of service, caused by an XML External Entity Injection
    (XXE) error when processing XML data. A remote authenticated
    attacker could exploit this vulnerability to consume all
    available CPU resources and cause a denial of service.
    CVSS Base Score: 4.3
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/107105 
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
    
    CVEID: CVE-2015-7407
    DESCRIPTION: IBM Mashups is vulnerable to Server Side Request
    Forgery. A remote attacker might use specially crafted HTTP
    requests to IBM Mashups in order to make the Mashups servers
    call other reachable HTTP services in its network.
    CVSS Base Score: 7.5
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/107433 
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
    
    CVEID: CVE-2015-7454
    DESCRIPTION: IBM Business Process Manager could allow an
    authenticated user to create pages and spaces that they should
    not have access to due to improper access restrictions.
    CVSS Base Score: 4.3
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/108333 
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
    
    On BPM V7.5.1.2, this APAR also resolves:
    CVEID: CVE-2014-8912
    DESCRIPTION: IBM WebSphere Portal and other products could allow
    a remote attacker to obtain sensitive information, caused by the
    failure to restrict access to resources located within web
    applications. An attacker could exploit this vulnerability to
    obtain configuration data and other sensitive information.
    CVSS Base Score: 5
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/99253 f
    or the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
    

Problem conclusion

  • A fix is available for IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2,
    V8.5.5.0, V8.5.6.0 cumulative fix 2, and IBM BPM V8.5.7.0
    CF2016.06 that removes these vulnerabilities. This fix also
    introduces a new feature whereby you can disable the user search
    capability.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR54678:
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR54678, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    
    To enable this feature, configure the
    com.ibm.mashups.usersearch.blocked property as described in the
    readme file for your version of the product.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR54678

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-11-10

  • Closed date

    2016-08-25

  • Last modified date

    2016-08-25

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R751 PSY

       UP

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

  • R856 PSY

       UP

  • R857 PSY

       UP



Document information

More support for: IBM Business Process Manager Standard

Software version: 8.5

Reference #: JR54678

Modified date: 25 August 2016


Translate this page: