Direct links to fixes
bpm.8570.cf2016.09.delta.repository.1of2
bpm.8570.cf2016.09.delta.repository.2of2
8.0.1.3-WS-BSPACE-IFJR56300
8.5.0.2-WS-BPM-IFJR56300
8.5.5.0-WS-BPM-IFJR56300
8.5.6.2-WS-BPM-IFJR56300
8.5.5.0-WS-WBM-IFJR56300
8.5.6.0-WS-WBM-IFJR56300
8.5.7.0-WS-WBM-IFJR56300
Downloading IBM Business Process Manager V8.5.7 Cumulative Fix 2016.09
APAR status
Closed as program error.
Error description
CVEID: CVE-2016-3056 DESCRIPTION:IBM Business Process Manager (BPM) and IBM Business Monitor are vulnerable to an HTML injection. A remote attacker could inject malicious HTML code, which, when viewed, would run in the victim's web browser within the security context of the hosting site. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114842 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) PRODUCTS AFFECTED IBM BPM Advanced IBM BPM Standard IBM BPM Express IBM Business Monitor
Local fix
Problem summary
No additional information is available.
Problem conclusion
A fix for IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2, V8.5.5.0, V8.5.6.0, and V8.5.7.0 is available that escapes HTML when displaying user provided content. For IBM BPM V7.5.1.2,, contact IBM support and request the fix, quoting JR56300. For IBM BPM V8.0.1.3, V8.5.0.2, and V8.5.5.0, search for JR56300 on Fix Central (http://www.ibm.com/support/fixcentral): 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR56300, and click Continue. For IBM BPM V8.5.6.0, this fix is built on IBM BPM 8.5.6.0 cumulative fix 2. If you do not already have IBM BPM V8.5.6 cumulative fix 2 installed, download and install IBM BPM V8.5.6 cumulative fix 2 from http://www.ibm.com/support/docview.wss?uid=swg24041303. For V8.5.7.0, the fix will be included in IBM BPM V8.5.7 cumulative fix 2016.09. To determine whether the later cumulative fix is available and download it if it is, complete the following steps on Fix Central: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select Text, enter 'cumulative fix' and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR56300
Reported component name
BPM ADVANCED
Reported component ID
5725C9400
Reported release
856
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-07-12
Closed date
2016-09-30
Last modified date
2016-09-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM ADVANCED
Fixed component ID
5725C9400
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 September 2023