Direct links to fixes
APAR status
Closed as program error.
Error description
CVEID: CVE-2016-9693 DESCRIPTION: IBM Business Process Manager has a file download capability that is vulnerable to a set of attacks. Ultimately, an attacker can cause an unauthenticated victim to download a malicious payload. An existing file type restriction can be bypassed so that the payload might be considered executable and cause damage on the victim's machine. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119517 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
Local fix
Problem summary
Because of how the "download in CSV (comma separated values) format" function in IBM BPM was implemented, a browser sends all data to the server and expects the same data back as a downloadable stream. The server-side URL is vulnerable because of - insufficient authorization (available for anonymous users) - insufficient file extension checking (possibility to bypass the .csv file extension restriction) - accepting GET requests that can easily be sent to victims in a chat or email PRODUCTS AFFECTED IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express
Problem conclusion
A fix is available for the latest fix pack of all supported IBM BPM releases: 7.5.1.2, 8.0.1.3, 8.5.0.2, 8.5.5.0, 8.5.6.0 CF02, and 8.5.7.0 CF 2016.12. The fix will also be included in IBM BPM 8.5.7.0 CF 2017.03. This fix by default completely disables the vulnerable URL and updates all IBM BPM product components that cause requests to this URL to use the client-side JavaScript instead. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR57149: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR57149, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR57149
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
857
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-12-09
Closed date
2017-02-24
Last modified date
2017-02-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 September 2023