IBM Support

JR54678: SECURITY APAR - SECURITY VULNERABILITIES EXIST IN BUSINESS SPACE CVE-2015-7400, CVE-2015-7407, CVE-2015-7454, CVE-2014-8912

Direct links to fixes

8.5.7.0-WS-WBM-IFJR54678
8.5.6.0-WS-WBM-IFJR54678
8.5.5.0-WS-WBM-IFJR54678
8.0.1.3-WS-BSPACE-IFJR56078
7.5.1.2-WS-BSPACE-IFJR54678
8.5.6.1-WS-BPM-IFJR54678
8.0.1.3-WS-BSPACE-IFJR54678
8.5.0.2-WS-BPM-IFJR54678
8.5.5.0-WS-BPM-IFJR54678
8.5.6.2-WS-BPM-IFJR54678
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Multiple security vulnerabilities exist in IBM Business Space:

CVE-2015-7400 - XML external entity expansion vulnerability
CVE-2015-7407 - Server Side Request Forgery
CVE-2015-7454 - Incomplete implementation of LOCKEDDOWN mode
CVE-2014-8912 - Authorization bypass in Mashups

You cannot disable the user search function for non-privileged
users.

PRODUCTS AFFECTED
IBM Business Process Manager (BPM) Advanced
IBM BPM Standard
IBM BPM Express

Local fix

  • 



Problem summary


    

  • CVEID: CVE-2015-7400
DESCRIPTION: IBM Business Process Manager is vulnerable to a
denial of service, caused by an XML External Entity Injection
(XXE) error when processing XML data. A remote authenticated
attacker could exploit this vulnerability to consume all
available CPU resources and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/107105 
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7407
DESCRIPTION: IBM Mashups is vulnerable to Server Side Request
Forgery. A remote attacker might use specially crafted HTTP
requests to IBM Mashups in order to make the Mashups servers
call other reachable HTTP services in its network.
CVSS Base Score: 7.5
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/107433 
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2015-7454
DESCRIPTION: IBM Business Process Manager could allow an
authenticated user to create pages and spaces that they should
not have access to due to improper access restrictions.
CVSS Base Score: 4.3
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/108333 
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

On BPM V7.5.1.2, this APAR also resolves:
CVEID: CVE-2014-8912
DESCRIPTION: IBM WebSphere Portal and other products could allow
a remote attacker to obtain sensitive information, caused by the
failure to restrict access to resources located within web
applications. An attacker could exploit this vulnerability to
obtain configuration data and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/99253 f
or the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

    



Problem conclusion


    

  • A fix is available for IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2,
V8.5.5.0, V8.5.6.0 cumulative fix 2, and IBM BPM V8.5.7.0
CF2016.06 that removes these vulnerabilities. This fix also
introduces a new feature whereby you can disable the user search
capability.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR54678:

1. Select IBM Business Process Manager with your edition from
the product selector, the installed version to the fix pack
level, and your platform, and then click Continue.
2. Select APAR or SPR, enter JR54678, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

To enable this feature, configure the
com.ibm.mashups.usersearch.blocked property as described in the
readme file for your version of the product.

    



Temporary fix


    

  • Not applicable

    



Comments


    

  • 



APAR Information




    

  • APAR number
    JR54678
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-11-10
    • 

  • Closed date
    2016-08-25
    • 

  • Last modified date
    2016-08-25
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    

  • R751  PSY
       UP
    • 

  • R801  PSY
       UP
    • 

  • R850  PSY
       UP
    • 

  • R855  PSY
       UP
    • 

  • R856  PSY
       UP
    • 

  • R857  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 October 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback