IBM Support

Knowledge Collection: Security documents for the IBM Business Process Manager products

Education


Abstract

This knowledge collection is a focused compilation of links to security-related documents for the IBM Business Process Manager products.

Content

Knowledge Collections are navigation aids that organize content to help users quickly find relevant information. Knowledge Collections are not designed to be an all-inclusive list of all documents dealing with the specific theme. The applicable version is included in each entry.

If you need technical support, see the Support section for information on what IBM Software Support needs to investigate the issue.

This document contains the following sections:



Security bulletins and Flashes

Security Bulletin: IBM WebSphere Lombardi Edition and IBM Business Process Manager (BPM) cross-site scripting vulnerability in error situations (CVE-2014-0957) (1679064)
Versions: 8.5.5, 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
When you invoke a service using a URL, user input can be returned in unhandled service failure situations.



Security Bulletin: ClassLoader manipulation with Apache Struts (CVE-2014-0114) and Denial Of Service vulnerability in Apache Commons FileUpload (CVE-2014-0050) affect IBM Business Process Manager (BPM) V8.5.5.0 (1678359)
Version: 8.5.5
Security vulnerabilities have been reported for the Apache Struts 1.1 and Apache Commons FileUpload libraries shipped with one component of IBM Business Process Manager V8.5.5.


Security Bulletin: ClassLoader manipulation with Apache Struts (CVE-2014-0114) affects WebSphere Lombardi Edition and IBM Business Process Manager (BPM) (1674435)
Version: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
There is a class loader manipulation vulnerability in Apache Struts (CVE-2014-0114) that affects WebSphere Lombardi Edition and IBM Business Process Manager.


Security Bulletin: Security vulnerability in IBM WebSphere Application Server, which is shipped with IBM Business Process Manager (BPM): CPU Utilization (CVE-2014-0963) (1673741)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
IBM WebSphere Application Server is shipped as a component of IBM Business Process Manager. Information about a security vulnerability, which affects IBM WebSphere Application Server, has been published in a security bulletin.


Security Bulletin: Information regarding security vulnerability in IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU January 2014 (1665267)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
Multiple security vulnerabilities exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server and included in the products that are listed in this document.


Security Bulletin: Denial of Service vulnerability in Apache Commons FileUpload affects IBM Business Process Manager (BPM) (1670373)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
A security vulnerability exists in the open source library Apache Commons FileUpload that is shipped with, and used by, the IBM Business Process Manager products.


The IBM Business Process Manager (BPM), WebSphere Process Server (WPS), and WebSphere Lombardi Edition products are not affected by the OpenSSL Heartbleed vulnerability (CVE-2014-0160) (1670118)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
These products are not vulnerable to the CVE-2014-0160 OpenSSL Heartbleed vulnerability.


Security Bulletin: Missing authorization concept for IBM Business Process Manager (BPM) User Attributes CVE-2014-0908 (1669330)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, 7.5
The User Attribute feature in IBM Business Process Manager does not have an authorization concept.


Security Bulletin: Information regarding security vulnerability in IBM SDK Java? Technology Edition that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU January 2014 (1665267)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, 7.5
Multiple security vulnerabilities exist in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server and included in the products that are listed in this document.


Security Bulletin: Information regarding security vulnerability in IBM SDK for Java that is shipped with IBM WebSphere Application Server and addressed by Oracle CPU October 2013 (1660149)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
Multiple security vulnerabilities exist in the IBM SDK for Java that is shipped with IBM WebSphere Application Server and included in the products that are listed in this document.


Security Bulletin: IBM WebSphere Process Server Java API Documentation Frame Injection Vulnerability (CVE-2013-1571) (1641918)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
HTML documentation generated by the Javadoc tool contains a security vulnerability. The vulnerability allows an attacker to craft a malicious link to the documentation which injects arbitrary content into the main frame. The injected content appears to originate from the site hosting the documentation, but in fact it is hosted elsewhere, and may contain malicious links or content. This type of attack is known as "clickjacking".


Security Bulletin: IBM Business Process Manager (BPM) Vulnerable URLs (CVE-2013-0581) (1633593)
Versions 8.0.1, 8.0, and 7.5.1
When a dashboard is opened or a service is executed, a malicious attacker can intercept network requests from the client. Then, the attacker can modify the URL parameters of the request so that malicious code can be executed within the client browser.


Security Bulletin: An IBM Business Process Manager SSL connection can be established without host name verification: CVE-2012-5785 (1622589)
Versions: 8.0.1, 8.0, 7.5.1, 7.5
A Secure Sockets Layer (SSL) connection can be established without host name verification, which an make the connection vulnerable to a man-in-the-middle attack.


Security Bulletin: WebSphere Process Server (WPS) / IBM Business Process Manager (BPM) - Cross-site scripting security vulnerability in local help system (1659888)
Versions: 7.5.1 and 7.5
A Cross-site scripting security vulnerability exists in the IBM Eclipse Help System, which is used to provide the product information centers for the IBM WebSphere Process Server and IBM Business Process Manager products. For more details about Cross-site Scripting (XSS), see the Open Web Application Security Project (OWASP) Wiki link, which is listed under Related URLs.

Webcast replays

Webcast replay: BPM Security and LDAP - Concepts and Troubleshooting (7038616)
Versions: 8.0.1, 8.0, and 7.5.1
This presentation focuses on concepts , considerations and troubleshooting of BPM security with a primary focus on BPM's handling of security with an external user registry / LDAP.
Level of Difficulty: Intermediate
Presenters: Sridhar Edam and Shinsou (Al) Wang
Date: 11 June 2013

Webcast replay: IBM Business Process Manager (BPM) Security (7036415)
Versions: 8.0, 7.5.1, 7.5.0.1
This session covers configuring Single Sign On/Lightweight Directory Access Protocol to access Business Process Manager. It also talks about the user/group references in various components of Business Process Manager like problem determination, Process Admin, WebSphere Application Server, and so on. At the end of the presentation, there was a discussion on troubleshooting in this area.
Level of Difficulty: Intermediate
Presenters: Sridhar Edam and Dhamu Veluswamy
Date: 20 November 2012


Known problems and solutions

IBM Business Process Manager (BPM) cannot communicate with the IBM BPM document store (1673250)
Version: 8.5
IBM Business Process Manager cannot communicate with the IBM BPM document store. All attempts to communication with the IBM BPM document store result in an exception.



"Error communicating with server" when accessing the Process Inspector from the Process Admin console in IBM Business Process Manager (BPM) (1664837)
Versions 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
You access the Process Admin console directly without a load balancer and a web server in front of it. You then switch to the Process Inspector view and the following error is displayed: "Error communicating with server."


"Error communicating with server" when accessing Process Inspector from Process Admin console in IBM Business Process Manager (BPM) with load balancer in front of web server (1664735)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, 7.5
You access the Process Admin console with a load balancer and a web server in front of IBM Business Process Manager. You then switch to the Process Inspector view and the following error is displayed: "Error communicating with server."


IBM Business Process Manager (BPM) cannot connect to Blueworks Live due to a missing or expired certificate (1614684)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
If you subscribe to Blueworks Live processes from IBM Process Designer, you might encounter a connectivity problem because the Blueworks Live certificate in the WebSphere Default Trust Store is missing or has expired.


A user in a group cannot retrieve assigned tasks in the IBM Business Process Manager (BPM) Process Portal (1616500)
Versions: 8.5 and 8.0.1
Portal users in a group cannot see tasks that have been assigned to their group.


Changing the value of the Session Bean Timeout in IBM Business Process Manager (BPM) (1601357)
Versions: 8.5, 8.0.1, 8.0, 7.5.1 and 7.5
The default value of Session Bean Timeout in Business Process Manager is 7200 seconds. How do you change this default value?


The "Read E-Mail via IMAP" integration service for the IBM Business Process Manager (BPM) products does not support SSL (1592149)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
The integration service "Read Email via IMAP" from the System Toolkit does not support the IMAPS protocol. As a result, you cannot connect to IMAP servers that require Secure Sockets Layer (SSL).


A "CWLLG0095W: The repository contact failed with a status of: 302" error occurs with IBM Business Process Manager (BPM) (1580089)
Versions: 8.5, 8.0.1, 8.0, 7.5.1 and 7.5
When the Process Server tries to connect to the Process Center repository, the following warning message might occur in the SystemOut.log file: CWLLG0095W: The repository contact failed with a status of: 302


Special characters in IBM Business Process Manager (BPM) user IDs and passwords might lead to unpredictable results (1670078)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
When you use special characters in IBM Business Process Manager user IDs and passwords, you might encounter unpredictable results. When you log into the Process Center from IBM Process Designer, you might get two authentication requests. You might also receive multiple requests when you switch from the Designer view to the Process Center view in IBM Process Designer.


Switching Business Process Choreographer Explorer back to using HTTP from HTTPS (4034421)
Versions: 8.5, 8.0.1
In Business Process Manager Advanced Version 8.0.1, the default protocol used by Business Process Choreographer Explorer was changed to use HTTPS. You can switch it back to HTTP.


Changing the deployment environment administrator for IBM Business Process Manager (BPM) leads to a NullPointerException in the getOrCreateUserInfoObject within the log files (1656384)
Versions: 8.5
If you change the deployment environment administrator in IBM Business Process Manager V8.5 to be a user from a federated LDAP repository, you might see a NullPointerException exception.


A group manager for IBM Business Process Manager (BPM) cannot assign or re-assign tasks to users from external security provider (1647104)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
When a group manager attempts to assign a task to a user, a "You are not authorized to perform the 'assign' action" or "You are not authorized to reassign the task to this user" message is seen.


IBM Business Process Manager (BPM) does not resolve nested group LDAP members with Tivoli Directory Server (1646097)
Versions: 8.5, 8.0.1, 8.0, 7.5.1, and 7.5
When you use the Process Admin Console of IBM Business Process Manager to manage nested groups, some of the users are not shown with Tivoli Directory Server.


Some LDAP users not displaying in IBM Business Process Manager (BPM) user management tools (1642128)
Versions: 8.5, 8.0.1, 8.0, and 7.5
You might use Lightweight Directory Access Protocol (LDAP) user repositories to provide users for your IBM Business Process Manager system. When you try to manage users or map them to participant groups, you might notice that some users or groups that exist in your LDAP repository do not display in the IBM Business Process Manager user lists.


Potential security vulnerabilities in the IBM Business Process Management products for the Oracle October 2012 CPU (1620041)
Versions: 8.0.1, 8.0, 7.5.1, 7.5
The IBM Business Process Manager, WebSphere Process Server, WebSphere Lombardi Edition, and WebSphere Enterprise Service Bus products depend on WebSphere Application Server and its IBM Developer Kit, Java edition.


A SqlIntegrityConstraintViolationException occurs during the group replication process for IBM Business Process Manager (BPM (1619620)
Versions: 8.0.1, 8.0, 7.5.1
When IBM Business Process Manager is configured to use LDAP and LDAP has duplicate groups in it, at server startup, a SqlIntegrityConstraintViolationException gets thrown. Additionally, upon server startup, LDAP groups are not visible from WebSphere Application Server Administrative Console or Process Admin Console. APAR JR44698 is applied & the server is restarted. But the original problem still persists.


The Portal or Coach session expiration for IBM Business Process Manager (BPM) is shorter than desired (1633251)
Versions: 8.0.1, 8.0, 7.5.1 and 7.5
You want a long session time, possibly several hours, for Portal or a Coach. However, session expiration exception messages are seen after you set up the Portal or Coach session.


Running Security AppScan software on IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (1643921)
Versions: 8.0.1, 8.0, 7.5.1, and 7.5
After running Security AppScan software, it lists vulnerable URLs in the report. What does it mean? Is your IBM Business Process Manager or WebSphere Lombardi Edition software vulnerable?


Intermittent SSL issues occur in IBM Business Process Manager (BPM) (1653447)
Versions: 8.0.1, 8.0, 7.5.1, and 7.5
In IBM Business Process Manager V7.5.x and 8.0.x products, there is an intermittent issue that causes the wrong trust store to be used for SSL connections. This situation leads to different types of communication errors between servers.


A NullPointerException occurs when running the BPMSecurityUnlock command for IBM Business Process Manager (BPM) (1640440)
Versions: 8.0.1 and 8.0
When you run the BPMSecurityUnlock command using wsadmin, a WASX7015E exception occurs.


The participant.addusers() JavaScript API method does not successfully add the user to a participant group for IBM Business Process Manager (BPM) (1633204)
Versions: 8.0.1, 8.0, and 7.5.1
Sometimes applications attempt to add a user into a participant group using the participant.addusers() API. However, the user cannot be found in the participant group.


With IBM Business Process Manager (BPM), inconsistent values are seen when using an API to assign an attribute value for multiple attribute definitions with the same name from different applications (1631389)
Versions: 8.0.1, 8.0, 7.5.1, and 7.5
You might use the tw.system.user.setAttributeValue API in IBM Business Process Manager Process Designer to assign different values to existing user attribute definitions with the same "ParticipantGroups" name in two different applications. However, the assigned values are inconsistent when you retrieve the user attribute values from the Process Admin Console.


A SRVE0068E error occurs when an LDAP user is added to the tw_admins group when using IBM Business Process Manager (BPM) Advanced and IBM Business Process Manager Standard (1593114)
Version: 8.0
When you access the Monitoring > Instrumentation functionality in the Process Admin Console using an LDAP user that was added to the LDAP tw_admins group you will receive a SRVE0068E error.


IBM Business Process Manager (BPM) Advanced and IBM Business Process Manager Standard internal custom repository user name fails with a CWLLG2015E error message (1593299)
Version: 8.0
IBM Business Process Manager Advanced and IBM Business Process Manager Standard internal custom repository user names that contain ?=? characters are not added to the LSW_USR_XREF table.


Server startup problems occur when using IBM Business Process Manager (BPM) with Lightweight Directory Access Protocol (LDAP) for a large number of groups (1594714)
Versions: 8.0, 7.5.1
When IBM Business Process Manager is configured to use LDAP with a large number of groups, the server might take a long time to start.


Changing the tw_admin password in IBM Business Process Manager (BPM) after installation (1619258)
Versions: 8.0, 7.5.1
After your install IBM Business Process Manager, you attempt to change the tw_admin password value. However, the following error occurs in the SystemOut.log file: CWLLG2003E: GetSubject for userName=tw_admin failed in ServiceLocator.


LDAP attributes, other than the user name and display name, are not accessible in IBM Business Process Manager (BPM) (1609893)
Versions: 8.0, 7.5.1, 7.5
How can you access user attributes other than user name and display name in an LDAP store from the IBM Business Process Manager products?


The 'Manage Group' Add User search in the Process Admin Console does not return available users for IBM Business Process Manager (BPM) (1615427)
Versions: 8.0, 7.5.1, 7.5
When you search for a user within the 'Manage Group' in the Process Admin Console for IBM Business Process Manager, a more specific search keyword does not result in any entries. In addition, an LDAP timeout message is added to the SystemOut.log file.


For IBM Business Process Manager (BPM) Advanced, a password issue occurs with the tw_user and results in a "SECJ0055E: Authentication failed" error (1645311)
Versions: 7.5.1 Fix Pack 1
You are running IBM Business Process Manager Advanced V7.5.1 Fix Pack 1 (7.5.1.1) in a 4-cluster topology. After you change the default passwords for the tw_* IDs including the tw_user, you notice that the performance database definitions in that Process Center are not getting updated even after you click update tracking definitions.


Trust store problem when connecting from Process Designer to Process Center in IBM Business Process Manager (BPM) (1590164)
Version: 7.5.1
Trust store is not included for a network deployment (ND) environment or with a correct password for security with Process Designer.


An IBM Business Process Manager (BPM) exception occurs when adding an LDAP user or group to a Lombardi internal group (1617395)
Versions: 7.5.1 and 7.5
Although able to see LDAP members and groups, they cannot successfully be added to Lombardi user groups.


Error: You cannot maintain internal users because the application server is not configured to use the Business Process Manager (BPM) Internal Security Provider. (1586586)
Versions: 7.5.1, 7.5
When you click "manage users" in the IBM Business Process Manager Process Admin Console, you see a "You cannot maintain internal users because the application server is not configured to use the BPM Internal Security Provider" error.


Importing a Teamworks file that references content from LDAP into IBM Business Process Manager (BPM) can fail (1571843)
Version: 7.5.1
Importing a Teamworks file that references LDAP Users and Groups into a system that is not configured to use the same LDAP repository can result in failure. The references are added when a user selects users and groups from LDAP when defining a participant group. Exporting a snapshot to a Teamworks file causes that file to contain references to content from LDAP.


Integrated authentication set up with IBM Business Process Manager (BPM) Version 7.5 (1506999)
Version: 7.5.1 and 7.5

How do you setup integrated authentication with Process Portal, Process Admin, Microsoft Office Add-On and Microsoft Sharepoint Add-On for IBM Business Process Manager 7.5.x ?


Securing the messaging engines underlying the IBM Process Server and Performance Data Warehouse for IBM Business Process Manager (BPM) (1499518)
Version: 7.5
The buses underlying the IBM Process Server and Performance Data Warehouse are shipped unsecured; to secure the buses, you need to complete additional steps.


IBM Business Process Manager (BPM) server fails to start and java.security.AccessControlException messages exist in the SystemOut.log files (1501660)
Version: 7.5
The server fails to start, and you see multiple java.security.AccessControlException errors in the SystemOut.log file if you enable Java™ 2 security on IBM Business Process Manager V7.5.

Support


If you are having security issues and need help from IBM Support, see the Collect troubleshooting data for security problems in IBM Business Process Manager (BPM) (1609418) topic. This document explains what documentation you must collect (MustGather) so that the IBM Business Process Manager Support team can diagnose your problem. If you gather this documentation before contacting support, it will expedite the troubleshooting process, and save you time.


Other Knowledge Collections for IBM Business Process Manager




Original Publication Date

14 December 2012

[{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"","label":"Linux zSeries"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.5;8.0.1;8.0;7.5.1;7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg27036942