Operating System:

[WIN][LINUX][HP-UX][Solaris][AIX]

Published:

20 August 2013

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2013.1134 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1134
          Two vulnerabilities have been identified in IBM FileNet
                         Business Process Manager
                              20 August 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM FileNet Business Process Manager
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-4002 CVE-2013-0169 

Reference:         ESB-2013.1120
                   ESB-2013.1099
                   ESB-2013.1077
                   ESB-2013.0161

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21647217
   http://www-01.ibm.com/support/docview.wss?uid=swg21647223

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM FileNet Business Process Manager Oracle Critical Patch
Updates April 2013 (CVE-2013-0169)

Flash (Alert)

Document information

FileNet P8 Platform

Process Engine

Software version:
4.5.1, 5.0, 5.1

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Reference #:
1647217

Modified date:
2013-08-16

Abstract

Potential security vulnerabilities exist in the IBM Java SDK that is shipped 
with the IBM FileNet Business Process Manager.

Content

The products that are listed below can be affected by security vulnerabilities
as reported by Oracle April 2013 Critical Patch updates:

* IBM FileNet Business Process Manager 4.5.1, 5.0.0/5.1.0

Vulnerability details:

The following security vulnerabilities exist in the IBM Java SDK shipped with
IBM Business Process Manager 4.5.1, 5.0.0/5.1.0

CVSS:

CVEID: CVE-2013-0169

CVSS Base Score: 4.3

CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/81902

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected products and versions:

Product: IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 including all fix 
packs

Remediation:

Apply the following fixes:

Fix* Component-VRMF How to acquire fix

4.5.1 interim fix 4.5.1.4-P8PE

4.5.1.2-P8PS

4.5.1.3-P8PA 4.5.1.4-P8PE-IF002

4.5.1.2-P8PS-IF002

4.5.1.3-P8PA-IF002

5.0.0/5.1.0 GA fix pack 5.0.0.5-P8PE

5.0.0.2-P8PS

5.0.0.4-P8CA 5.0.0.5-P8PE-FP005

5.0.0.2-P8PS-FP002

5.0.0.4-P8CA-FP004

Note: BPM 5.0 and BPM 5.1 are patched by the same 5.0.0.x patch streams.

Workaround(s): None

Mitigation(s): None

References:

Complete CVSS Guide

On-line Calculator V2

http://xforce.iss.net/xforce/xfdb/81902

Related information:

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment-specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- -------------------------------------------------------------------------------

Security Bulletin: IBM FileNet Business Process Manager XML 4J denial of 
service attack (CVE-2013-4002)

Flash (Alert)

Document information

FileNet P8 Platform

Process Engine

Software version:
4.5.1, 5.0, 5.1

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows

Reference #:
1647223

Modified date:
2013-08-16

Abstract

The XML4J parser that is shipped with the IBM FileNet Business Process Manager
is vulnerable to a denial of service attack, which is triggered by malformed 
XML data.

Content

The products that are listed below can be affected by security vulnerabilities
reported to the Apache Xerces-J project:

* IBM FileNet Business Process Manager 4.5.1, 5.0.0/5.1.0

VULNERABILITY DETAILS:

The following security vulnerabilities exist in the XML4J that is shipped with
IBM Business Process Manager 4.5.1, 5.0.0/5.1.0

CVSS:

CVEID: CVE-2013-4002

CVSS Base Score: 7.1

CVSS Temporal Score: http://xforce.iss.net/xforce/xfdb/85260

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

AFFECTED PRODUCTS AND VERSIONS:

Product: IBM Business Process Manager 4.5.1, 5.0.0/5.1.0 including all fix 
packs

REMEDIATION:

Apply the Following Fixes:

Fix* Component-VRMF How to acquire fix

4.5.1 4.5.1.4-P8PE

4.5.1.2-P8PS

4.5.1.3-P8PA Contact IBM Support to obtain an interim fix if required.

5.0.0/5.1.0 GA FixPack 5.0.0.5-P8PE

5.0.0.2-P8PS

5.0.0.4-P8CA 5.0.0.5-P8PE-FP005

5.0.0.2-P8PS-FP002

5.0.0.4-P8CA-FP004

Note: BPM 5.0 and BPM 5.1 are patched by the same 5.0.0.x patch streams.

Workaround(s):

None

Mitigation(s):

None

REFERENCES:

Complete CVSS Guide

On-line Calculator V2

http://xforce.iss.net/xforce/xfdb/85260

CVE-2013-4002

RELATED INFORMATION:

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment-specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUhLmkBLndAQH1ShLAQKx2Q/9EHDRqaK9NLhSrvYPWo16xA8SR/zPwLxv
xcAolatObV4sONl1cSSkVgPmxsjM6YFRZyFmCkYMT9Y9GigdWP3jnTnA+J797Y2E
alQza3f7bbIcDukoEi1v9W290opeKNbSffwdKvOY6Lau7gh5dkc2At0suDyg3Jbp
VdVrMtZ25HF27/N35o+N/JODubEjvz48ncBhQ71LGfSzaldyHKcQMABrhZ0Hwmk6
TVElN1sY9TRy6VBxfaVrKnzhdMkynbgIjFGufFFYhAH8+XgmG7pG5llu7Ejzwzyd
8npeXDVJzqUtogDxaVJJDHCzV7UIW24xV/h6OIh6kRD8KaC5GyDIlL3KGYguk/6U
9RhEdXJ/cuwwjiShJUGFX8k93YPBy51khik5OWZXDZ/PI6irLv2gOJFzqYSTEtWJ
SLB4aPlpPJ74VS6ipYuE+2MwggSVI/W2Gv+1w+p+AWpmsdL5L+gV7SrVDr97Mp8p
rJ4oGywjau5DGqKaHHF73+5e+HNjrpa6znblEiNhEjCZyCVUSLN9d/6XI52puSsD
fSl4nRFbeWWOToz0Qp/0Qxxq+MN8BzdZHAvg4whnDJakEOIQDCks55eBfHW52VX2
5lkzQF6oAPf95QvLAsX0IJaPxMuOVgptWNkjhj6tG+wMvc03F7A5Uq9Hsvh6nWnX
EWiKaKLIADw=
=cxM0
-----END PGP SIGNATURE-----