Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1488
Multiple vulnerabilities have been discovered in IBM
Business Process Manager (BPM)
2 September 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Business Process Manager
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
zO/S
Impact/Access: Access Privileged Data -- Existing Account
Create Arbitrary Files -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2014-4759 CVE-2014-3075
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21679979
http://www-01.ibm.com/support/docview.wss?uid=swg21680809
http://www-01.ibm.com/support/docview.wss?uid=swg21680795
Comment: This bulletin contains three (3) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Insufficient control over MIME types in Business Process
Manager (BPM) and WebSphere Lombardi Edition document feature (CVE-2014-3075)
Security Bulletin
Document information
More support for:
IBM Business Process Manager Advanced
Security
Software version:
7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.5,
8.5.0.1, 8.5.5
Operating system(s):
AIX, Linux, Linux zSeries, Solaris, Windows, z/OS
Reference #:
1679979
Modified date:
2014-08-29
Summary
You cannot restrict file uploads by MIME type in a document list coach
view. As a result, HTML that contains embedded JavaScript can be uploaded
and run in the browser.
Vulnerability Details
CVE ID: CVE-2014-3075
DESCRIPTION:
IBM Business Process Manager document management feature might allow a
remote attacker to include arbitrary files. A remote attacker might upload
a malicious file from a remote system, which might allow the attacker to
execute arbitrary code on the vulnerable web server.
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93817 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Affected Products and Versions
IBM Business Process Manager Standard V7.5.x, 8.0.x, and 8.5.x
IBM Business Process Manager Express V7.5.x, 8.0.x, and 8.5.x
IBM Business Process Manager Advanced V7.5.x, 8.0.x, and 8.5.x
IBM WebSphere Lombardi Edition V7.2.0.x
Remediation/Fixes
Install IBM Business Process Manager interim fix JR50092 as appropriate
for your current IBM Business Process Manager or WebSphere Lombardi
Edition version.
IBM Business Process Manager Express
IBM Business Process Manager Standard
IBM Business Process Manager Advanced
IBM WebSphere Lombardi Edition
If you are using earlier unsupported versions, IBM strongly recommends to
upgrade to a supported version.
The fix that introduces additional functionality to the product with two
server-side configuration options. One option is for file uploads and
other option is for file downloads.
A server-side configuration option is introduced, which allows an
optional white-list of MIME types to be specified. MIME types that
are included in the list are allowed for uploads, but all other MIME
types are blocked from uploads
A server-side configuration option is introduced, which allows an
optional black-list of MIME type mappings to be specified. Each MIME
type mapping allows for a conversion to be made from a specific MIME
type to a specific MIME type upon download.
The following example is a sample configuration of new options, which you
can configure in the 100Custom.xml file:
<server>
<!-- mime type white list which specifies mime types accepted for -->
<!-- upload to document list or document attachment -->
<document-attachment-accepted-mime-types>
<!-- specifies whether to allow a null mime type for upload -->
<allow-null-mime-type>false</allow-null-mime-type>
<!-- lists the mime types allowed for upload -->
<mime-type>text/plain</mime-type>
<mime-type>img/png</mime-type>
</document-attachment-accepted-mime-types>
<!-- mime type black list which specifies mappings from unacceptable -->
<!-- mime types to acceptable mime types for download from -->
<!-- document list or document attachment -->
<document-attachment-download-mime-types>
<!-- will map text/html mime type to text/plain mime type -->
<mime-type-map>
<from>text/html</from>
<to>text/plain</to>
</mime-type-map>
<!-- missing <to> element implies mapping to content/octet-stream -->
<mime-type-map>
<from>application/pdf</from>
</mime-type-map>
</document-attachment-download-mime-types>
</server>
Note: The default configuration, which does not include the configuration
information that is provided in the 100Custom.xml file, acts as a
blacklist for the text/html MIME type and maps it to the text/plain MIME
type. Providing a configuration in the 100Custom.xml file overrides the
default configuration. As a result, for text/html to remain on the blacklist,
it should be explicitly added to the 100Custom.xml file.
Workarounds and Mitigations
None
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Business Integration IBM Business Process Security AIX, Linux, Linux zSeries, 8.5.5, 8.5.0.1, 8.5,
Manager Standard Solaris, Windows 8.0.1.2, 8.0.1.1, 8.0.1,
8.0, 7.5.1.2, 7.5.1.1,
7.5.1, 7.5.0.1, 7.5
Business Integration IBM Business Process Security Linux, Linux zSeries, Windows 8.5.5, 8.5.0.1, 8.5,
Manager Express 8.0.1.2, 8.0.1.1,
8.0.1, 8.0, 7.5.1.2,
7.5.1.1, 7.5.1, 7.5.0.1,
7.5
Business Integration WebSphere Lombardi Security AIX,HP-UX, Linux, 7.2.0.5, 7.2.0.4, 7.2.0.3,
Edition Linux zSeries, Linux/x86, 7.2.0.2, 7.2.0.1, 7.2
Solaris, Windows, Windows
Vista, Windows XP
Product Alias/Synonym
BPM
- ------------------------------------
Security Bulletin: Information disclosure in IBM Business Process Manager
(BPM) V8.5 document attachments search (CVE-2014-4759)
Security Bulletin
Document information
More support for:
IBM Business Process Manager Advanced
Security
Software version:
8.5, 8.5.0.1, 8.5.5
Operating system(s):
AIX, Linux, Linux zSeries, Solaris, Windows
Reference #:
1680809
Modified date:
2014-08-29
Summary
IBM BPM document attachment queries can return document properties that
contain sensitive information.
Vulnerability Details
CVE ID: CVE-2014-4759
DESCRIPTION:
An Ajax service that is shipped with the Content Management toolkit allows
users to search for IBM BPM document attachments from the Document List
coach control. The service can be invoked by authenticated users and
accepts any document query as input. Users might invoke the service with
a query that returns all documents including associated document properties.
Note: Listing all available documents is a valid usage scenario for the
service. Access to document content is restricted so that only users that are
authorized to work with a process instance can view contents of documents
that are attached to this process instance. However, customers might store
sensitive information in document properties. Therefore, customer-defined
document properties must not be returned by the default search service.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94486 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Affected Products and Versions
IBM Business Process Manager Standard V8.5.x
IBM Business Process Manager Express V8.5.x
IBM Business Process Manager Advanced V8.5.x
Note. The query feature is only available for customers with the IBM BPM
document store feature configured. This feature is configured, by default,
unless one of the following limitations applies:
8.5.0.x: Limitations in administering the IBM BPM document store
8.5.5.x: Limitations in administering the IBM BPM document store
Remediation/Fixes
Install interim fix JR50871 as appropriate for your current IBM Business
Process Manager or WebSphere Lombardi Edition version.
IBM Business Process Manager Express
IBM Business Process Manager Standard
IBM Business Process Manager Advanced
Workarounds and Mitigations
None
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Business Integration IBM Business Process Security Linux, Linux zSeries, 8.5.5, 8.5.0.1, 8.5
Manager Express Windows
Business Integration IBM Business Process Security AIX, Linux, Linux zSeries, 8.5.5, 8.5.0.1, 8.5
Manager Standard Solaris, Windows
Product Alias/Synonym
BPM
- --------------
Security Bulletin: Missing access restriction on service types in IBM
Business Process Manager (BPM) and WebSphere Lombardi Edition (CVE-2014-4758)
Document information
More support for:
IBM Business Process Manager Advanced
Security
Software version:
7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.5,
8.5.0.1, 8.5.5
Operating system(s):
AIX, Linux, Linux zSeries, Solaris, Windows, z/OS
Reference #:
1680795
Modified date:
2014-08-29
Security Bulletin
Summary
When invoking a service using the callService URL, there is no access
restriction based on the service type and services that were meant for
internal use only are available for authenticated users.
Vulnerability Details
CVE ID: CVE-2014-4758
DESCRIPTION:
IBM Business Process Manager and Lombardi Edition are vulnerable to an
authenticated remote attacker accessing services that were meant for
internal use only.
CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94485 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Affected Products and Versions
IBM Business Process Manager Standard V7.5.x, 8.0.x 8.5.x
IBM Business Process Manager Express V7.5.x, 8.0.x 8.5.x
IBM Business Process Manager Advanced V7.5.x, 8.0.x 8.5.x
IBM WebSphere Lombardi Edition V7.2.x
Remediation/Fixes
Install the interim fix for APAR JR50215 as appropriate for your current
IBM Business Process Manager or WebSphere Lombardi Edition version.
IBM Business Process Manager Express
IBM Business Process Manager Standard
IBM Business Process Manager Advanced
IBM WebSphere Lombardi Edition
If you are using earlier unsupported versions, IBM strongly recommends
upgrading to a supported version.
Note: This fix, by default, prevents access to services of types other than
Ajax service. A new configuration option is available to enable other service
types for backwards compatibility. See the APAR description for more details.
Workarounds and Mitigations
None
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version
Business Integration IBM Business Process Manager Express Security Linux, Linux zSeries, Windows 8.5.5, 8.5.0.1, 8.5, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5
Business Integration IBM Business Process Manager Standard Security AIX, Linux, Linux zSeries, Solaris, Windows 8.5.5, 8.5.0.1, 8.5, 8.0.1.2, 8.0.1.1, 8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5
Business Integration WebSphere Lombardi Edition Security AIX, HP-UX, Linux, Linux zSeries, Linux/x86, 7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, 7.2.0.1, 7.2
Platform Independent, Solaris, Windows, Windows
Vista, Windows XP
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVAVF6RLndAQH1ShLAQLILQ//ToKQUrUJIQEDAygTHIbydAf5hNaFVzjS
TICkaOubo77G6wX72IAkoWLmMkYtlm4kv/hJd+XwpzB0evXAtL9wYAQ3GCEG88zB
bZ79D0WXFRz+qSMrpItEfuadRgqt6mWE39lkf2QYJNxt9fFYUQMqdUDvsZdxtdeY
15SXjc7sVPPH1L8z1MH8oc8na1oIQW6x8iPTPtvkBMt953pan38EDFMkuz/IZN+O
5RnsweNR0I0d6OWmNDmhn8jWRO3z3YibEAyhxNsNn2FwM3RpocYNszMdhjo0m0kS
4B0ucXolwFNX1k7BYbSUoSCaH4RSBIQhSRAKV6sFn6ej0NLZNWXNJZlsM1hf4aWE
Ag3LC9zwI+qu8NZzzPvXxkLGi1DekVeRFG3r1I6Loc/gaWOiGWH/jOhZEEJfiOqs
gHoxEL9X5gQuV8mta7kH0XvS1NvoeLHRHcUfWZE9wB7sqGDZLVXunraYm31O1v5Q
h0N8rH8zpcZSm19zU3UMC6y3mT+QVLsx/4BmNbtRhWtCGay+0IFNPdwcae0mSidk
kOEjvAM7xoGRAphtR8ICzWfQx1CCVVQMGVciXmXNpN6zLpI5ri0jAJmBwnzn9zRM
fVDAGZphR3pZHAavD5YBSq0qHd/BY9HYoRpdz0AqcvN13HlaVtC3B2jViNKyZT4N
6ouJYWfMbQE=
=TAfd
-----END PGP SIGNATURE-----