Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1134 Two vulnerabilities have been identified in IBM FileNet Business Process Manager 20 August 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM FileNet Business Process Manager Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4002 CVE-2013-0169 Reference: ESB-2013.1120 ESB-2013.1099 ESB-2013.1077 ESB-2013.0161 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21647217 http://www-01.ibm.com/support/docview.wss?uid=swg21647223 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: IBM FileNet Business Process Manager Oracle Critical Patch Updates April 2013 (CVE-2013-0169) Flash (Alert) Document information FileNet P8 Platform Process Engine Software version: 4.5.1, 5.0, 5.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1647217 Modified date: 2013-08-16 Abstract Potential security vulnerabilities exist in the IBM Java SDK that is shipped with the IBM FileNet Business Process Manager. Content The products that are listed below can be affected by security vulnerabilities as reported by Oracle April 2013 Critical Patch updates: * IBM FileNet Business Process Manager 4.5.1, 5.0.0/5.1.0 Vulnerability details: The following security vulnerabilities exist in the IBM Java SDK shipped with IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 CVSS: CVEID: CVE-2013-0169 CVSS Base Score: 4.3 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/81902 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Affected products and versions: Product: IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 including all fix packs Remediation: Apply the following fixes: Fix* Component-VRMF How to acquire fix 4.5.1 interim fix 4.5.1.4-P8PE 4.5.1.2-P8PS 4.5.1.3-P8PA 4.5.1.4-P8PE-IF002 4.5.1.2-P8PS-IF002 4.5.1.3-P8PA-IF002 5.0.0/5.1.0 GA fix pack 5.0.0.5-P8PE 5.0.0.2-P8PS 5.0.0.4-P8CA 5.0.0.5-P8PE-FP005 5.0.0.2-P8PS-FP002 5.0.0.4-P8CA-FP004 Note: BPM 5.0 and BPM 5.1 are patched by the same 5.0.0.x patch streams. Workaround(s): None Mitigation(s): None References: Complete CVSS Guide On-line Calculator V2 http://xforce.iss.net/xforce/xfdb/81902 Related information: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ------------------------------------------------------------------------------- Security Bulletin: IBM FileNet Business Process Manager XML 4J denial of service attack (CVE-2013-4002) Flash (Alert) Document information FileNet P8 Platform Process Engine Software version: 4.5.1, 5.0, 5.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows Reference #: 1647223 Modified date: 2013-08-16 Abstract The XML4J parser that is shipped with the IBM FileNet Business Process Manager is vulnerable to a denial of service attack, which is triggered by malformed XML data. Content The products that are listed below can be affected by security vulnerabilities reported to the Apache Xerces-J project: * IBM FileNet Business Process Manager 4.5.1, 5.0.0/5.1.0 VULNERABILITY DETAILS: The following security vulnerabilities exist in the XML4J that is shipped with IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 CVSS: CVEID: CVE-2013-4002 CVSS Base Score: 7.1 CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85260 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C) AFFECTED PRODUCTS AND VERSIONS: Product: IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 including all fix packs REMEDIATION: Apply the Following Fixes: Fix* Component-VRMF How to acquire fix 4.5.1 4.5.1.4-P8PE 4.5.1.2-P8PS 4.5.1.3-P8PA Contact IBM Support to obtain an interim fix if required. 5.0.0/5.1.0 GA FixPack 5.0.0.5-P8PE 5.0.0.2-P8PS 5.0.0.4-P8CA 5.0.0.5-P8PE-FP005 5.0.0.2-P8PS-FP002 5.0.0.4-P8CA-FP004 Note: BPM 5.0 and BPM 5.1 are patched by the same 5.0.0.x patch streams. Workaround(s): None Mitigation(s): None REFERENCES: Complete CVSS Guide On-line Calculator V2 http://xforce.iss.net/xforce/xfdb/85260 CVE-2013-4002 RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUhLmkBLndAQH1ShLAQKx2Q/9EHDRqaK9NLhSrvYPWo16xA8SR/zPwLxv xcAolatObV4sONl1cSSkVgPmxsjM6YFRZyFmCkYMT9Y9GigdWP3jnTnA+J797Y2E alQza3f7bbIcDukoEi1v9W290opeKNbSffwdKvOY6Lau7gh5dkc2At0suDyg3Jbp VdVrMtZ25HF27/N35o+N/JODubEjvz48ncBhQ71LGfSzaldyHKcQMABrhZ0Hwmk6 TVElN1sY9TRy6VBxfaVrKnzhdMkynbgIjFGufFFYhAH8+XgmG7pG5llu7Ejzwzyd 8npeXDVJzqUtogDxaVJJDHCzV7UIW24xV/h6OIh6kRD8KaC5GyDIlL3KGYguk/6U 9RhEdXJ/cuwwjiShJUGFX8k93YPBy51khik5OWZXDZ/PI6irLv2gOJFzqYSTEtWJ SLB4aPlpPJ74VS6ipYuE+2MwggSVI/W2Gv+1w+p+AWpmsdL5L+gV7SrVDr97Mp8p rJ4oGywjau5DGqKaHHF73+5e+HNjrpa6znblEiNhEjCZyCVUSLN9d/6XI52puSsD fSl4nRFbeWWOToz0Qp/0Qxxq+MN8BzdZHAvg4whnDJakEOIQDCks55eBfHW52VX2 5lkzQF6oAPf95QvLAsX0IJaPxMuOVgptWNkjhj6tG+wMvc03F7A5Uq9Hsvh6nWnX EWiKaKLIADw= =cxM0 -----END PGP SIGNATURE-----