IBM Support

JR56391: SECURITY APAR CVE-2016-5901 - CROSS-SITE SCRIPTING VULNERABILITY IN A PROCESS ADMIN CONSOLE SUBPAGE

Direct links to fixes

bpm.8570.cf2016.09.delta.repository.1of2
bpm.8570.cf2016.09.delta.repository.2of2
8.5.6.2-WS-BPM-IFJR56391
Downloading IBM Business Process Manager V8.5.7 Cumulative Fix 2016.09

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • CVEID: CVE-2016-5901
IBM Business Process Manager (BPM) is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended
functionality potentially leading to credentials disclosure
within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score:
See https://exchange.xforce.ibmcloud.com/vulnerabilities/115511 
for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Local fix

  • 



Problem summary


    

  • Panels in the Process Admin Console are not protected from
cross-site scripting attacks.

    



Problem conclusion


    

  • A fix is available for installation on top of IBM BPM V8.5.6
cumulative fix 2
(http://www.ibm.com/support/docview.wss?uid=swg24041303) that
secures the Process Admin Console against cross-site scripting
attacks.

Ensure you have IBM BPM V8.5.6 cumulative fix 2 installed. Then,
search for JR56391 on Fix Central
(http://www.ibm.com/support/fixcentral):

1. Select IBM Business Process Manager with your edition from
  the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.

2. Select APAR or SPR, enter JR56391, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR56391
    • 

  • Reported component name
    BPM STANDARD
    • 

  • Reported component ID
    5725C9500
    • 

  • Reported release
    856
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-07-27
    • 

  • Closed date
    2016-09-30
    • 

  • Last modified date
    2016-09-30
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM STANDARD
    • 

  • Fixed component ID
    5725C9500
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            04 September 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback