Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1488 Multiple vulnerabilities have been discovered in IBM Business Process Manager (BPM) 2 September 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Business Process Manager Publisher: IBM Operating System: AIX Linux variants Solaris Windows zO/S Impact/Access: Access Privileged Data -- Existing Account Create Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2014-4759 CVE-2014-3075 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21679979 http://www-01.ibm.com/support/docview.wss?uid=swg21680809 http://www-01.ibm.com/support/docview.wss?uid=swg21680795 Comment: This bulletin contains three (3) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Insufficient control over MIME types in Business Process Manager (BPM) and WebSphere Lombardi Edition document feature (CVE-2014-3075) Security Bulletin Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.5, 8.5.0.1, 8.5.5 Operating system(s): AIX, Linux, Linux zSeries, Solaris, Windows, z/OS Reference #: 1679979 Modified date: 2014-08-29 Summary You cannot restrict file uploads by MIME type in a document list coach view. As a result, HTML that contains embedded JavaScript can be uploaded and run in the browser. Vulnerability Details CVE ID: CVE-2014-3075 DESCRIPTION: IBM Business Process Manager document management feature might allow a remote attacker to include arbitrary files. A remote attacker might upload a malicious file from a remote system, which might allow the attacker to execute arbitrary code on the vulnerable web server. CVSS Base Score: 6.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93817 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P) Affected Products and Versions IBM Business Process Manager Standard V7.5.x, 8.0.x, and 8.5.x IBM Business Process Manager Express V7.5.x, 8.0.x, and 8.5.x IBM Business Process Manager Advanced V7.5.x, 8.0.x, and 8.5.x IBM WebSphere Lombardi Edition V7.2.0.x Remediation/Fixes Install IBM Business Process Manager interim fix JR50092 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. IBM Business Process Manager Express IBM Business Process Manager Standard IBM Business Process Manager Advanced IBM WebSphere Lombardi Edition If you are using earlier unsupported versions, IBM strongly recommends to upgrade to a supported version. The fix that introduces additional functionality to the product with two server-side configuration options. One option is for file uploads and other option is for file downloads. A server-side configuration option is introduced, which allows an optional white-list of MIME types to be specified. MIME types that are included in the list are allowed for uploads, but all other MIME types are blocked from uploads A server-side configuration option is introduced, which allows an optional black-list of MIME type mappings to be specified. Each MIME type mapping allows for a conversion to be made from a specific MIME type to a specific MIME type upon download. The following example is a sample configuration of new options, which you can configure in the 100Custom.xml file: <server> <!-- mime type white list which specifies mime types accepted for --> <!-- upload to document list or document attachment --> <document-attachment-accepted-mime-types> <!-- specifies whether to allow a null mime type for upload --> <allow-null-mime-type>false</allow-null-mime-type> <!-- lists the mime types allowed for upload --> <mime-type>text/plain</mime-type> <mime-type>img/png</mime-type> </document-attachment-accepted-mime-types> <!-- mime type black list which specifies mappings from unacceptable --> <!-- mime types to acceptable mime types for download from --> <!-- document list or document attachment --> <document-attachment-download-mime-types> <!-- will map text/html mime type to text/plain mime type --> <mime-type-map> <from>text/html</from> <to>text/plain</to> </mime-type-map> <!-- missing <to> element implies mapping to content/octet-stream --> <mime-type-map> <from>application/pdf</from> </mime-type-map> </document-attachment-download-mime-types> </server> Note: The default configuration, which does not include the configuration information that is provided in the 100Custom.xml file, acts as a blacklist for the text/html MIME type and maps it to the text/plain MIME type. Providing a configuration in the 100Custom.xml file overrides the default configuration. As a result, for text/html to remain on the blacklist, it should be explicitly added to the 100Custom.xml file. Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Business Integration IBM Business Process Security AIX, Linux, Linux zSeries, 8.5.5, 8.5.0.1, 8.5, Manager Standard Solaris, Windows 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 Business Integration IBM Business Process Security Linux, Linux zSeries, Windows 8.5.5, 8.5.0.1, 8.5, Manager Express 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 Business Integration WebSphere Lombardi Security AIX,HP-UX, Linux, 7.2.0.5, 7.2.0.4, 7.2.0.3, Edition Linux zSeries, Linux/x86, 7.2.0.2, 7.2.0.1, 7.2 Solaris, Windows, Windows Vista, Windows XP Product Alias/Synonym BPM - ------------------------------------ Security Bulletin: Information disclosure in IBM Business Process Manager (BPM) V8.5 document attachments search (CVE-2014-4759) Security Bulletin Document information More support for: IBM Business Process Manager Advanced Security Software version: 8.5, 8.5.0.1, 8.5.5 Operating system(s): AIX, Linux, Linux zSeries, Solaris, Windows Reference #: 1680809 Modified date: 2014-08-29 Summary IBM BPM document attachment queries can return document properties that contain sensitive information. Vulnerability Details CVE ID: CVE-2014-4759 DESCRIPTION: An Ajax service that is shipped with the Content Management toolkit allows users to search for IBM BPM document attachments from the Document List coach control. The service can be invoked by authenticated users and accepts any document query as input. Users might invoke the service with a query that returns all documents including associated document properties. Note: Listing all available documents is a valid usage scenario for the service. Access to document content is restricted so that only users that are authorized to work with a process instance can view contents of documents that are attached to this process instance. However, customers might store sensitive information in document properties. Therefore, customer-defined document properties must not be returned by the default search service. CVSS: CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94486 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N) Affected Products and Versions IBM Business Process Manager Standard V8.5.x IBM Business Process Manager Express V8.5.x IBM Business Process Manager Advanced V8.5.x Note. The query feature is only available for customers with the IBM BPM document store feature configured. This feature is configured, by default, unless one of the following limitations applies: 8.5.0.x: Limitations in administering the IBM BPM document store 8.5.5.x: Limitations in administering the IBM BPM document store Remediation/Fixes Install interim fix JR50871 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. IBM Business Process Manager Express IBM Business Process Manager Standard IBM Business Process Manager Advanced Workarounds and Mitigations None References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Business Integration IBM Business Process Security Linux, Linux zSeries, 8.5.5, 8.5.0.1, 8.5 Manager Express Windows Business Integration IBM Business Process Security AIX, Linux, Linux zSeries, 8.5.5, 8.5.0.1, 8.5 Manager Standard Solaris, Windows Product Alias/Synonym BPM - -------------- Security Bulletin: Missing access restriction on service types in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (CVE-2014-4758) Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.5, 8.5.0.1, 8.5.5 Operating system(s): AIX, Linux, Linux zSeries, Solaris, Windows, z/OS Reference #: 1680795 Modified date: 2014-08-29 Security Bulletin Summary When invoking a service using the callService URL, there is no access restriction based on the service type and services that were meant for internal use only are available for authenticated users. Vulnerability Details CVE ID: CVE-2014-4758 DESCRIPTION: IBM Business Process Manager and Lombardi Edition are vulnerable to an authenticated remote attacker accessing services that were meant for internal use only. CVSS: CVSS Base Score: 4.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94485 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N) Affected Products and Versions IBM Business Process Manager Standard V7.5.x, 8.0.x 8.5.x IBM Business Process Manager Express V7.5.x, 8.0.x 8.5.x IBM Business Process Manager Advanced V7.5.x, 8.0.x 8.5.x IBM WebSphere Lombardi Edition V7.2.x Remediation/Fixes Install the interim fix for APAR JR50215 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. IBM Business Process Manager Express IBM Business Process Manager Standard IBM Business Process Manager Advanced IBM WebSphere Lombardi Edition If you are using earlier unsupported versions, IBM strongly recommends upgrading to a supported version. Note: This fix, by default, prevents access to services of types other than Ajax service. A new configuration option is available to enable other service types for backwards compatibility. See the APAR description for more details. Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Business Integration IBM Business Process Manager Express Security Linux, Linux zSeries, Windows 8.5.5, 8.5.0.1, 8.5, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 Business Integration IBM Business Process Manager Standard Security AIX, Linux, Linux zSeries, Solaris, Windows 8.5.5, 8.5.0.1, 8.5, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5 Business Integration WebSphere Lombardi Edition Security AIX, HP-UX, Linux, Linux zSeries, Linux/x86, 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, 7.2.0.1, 7.2 Platform Independent, Solaris, Windows, Windows Vista, Windows XP - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVAVF6RLndAQH1ShLAQLILQ//ToKQUrUJIQEDAygTHIbydAf5hNaFVzjS TICkaOubo77G6wX72IAkoWLmMkYtlm4kv/hJd+XwpzB0evXAtL9wYAQ3GCEG88zB bZ79D0WXFRz+qSMrpItEfuadRgqt6mWE39lkf2QYJNxt9fFYUQMqdUDvsZdxtdeY 15SXjc7sVPPH1L8z1MH8oc8na1oIQW6x8iPTPtvkBMt953pan38EDFMkuz/IZN+O 5RnsweNR0I0d6OWmNDmhn8jWRO3z3YibEAyhxNsNn2FwM3RpocYNszMdhjo0m0kS 4B0ucXolwFNX1k7BYbSUoSCaH4RSBIQhSRAKV6sFn6ej0NLZNWXNJZlsM1hf4aWE Ag3LC9zwI+qu8NZzzPvXxkLGi1DekVeRFG3r1I6Loc/gaWOiGWH/jOhZEEJfiOqs gHoxEL9X5gQuV8mta7kH0XvS1NvoeLHRHcUfWZE9wB7sqGDZLVXunraYm31O1v5Q h0N8rH8zpcZSm19zU3UMC6y3mT+QVLsx/4BmNbtRhWtCGay+0IFNPdwcae0mSidk kOEjvAM7xoGRAphtR8ICzWfQx1CCVVQMGVciXmXNpN6zLpI5ri0jAJmBwnzn9zRM fVDAGZphR3pZHAavD5YBSq0qHd/BY9HYoRpdz0AqcvN13HlaVtC3B2jViNKyZT4N 6ouJYWfMbQE= =TAfd -----END PGP SIGNATURE-----