-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2130
Security Bulletin: Multiple security vulnerabilities in ElasticSearch might
          affect Process Federation Server (PFS) in IBM Business
           Process Manager (BPM) - CVE-2015-5531, CVE-2015-5377
                              17 August 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Business Process Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Unauthorised Access             -- Remote/Unauthenticated
Resolution:        Mitigation
CVE Names:         CVE-2015-5531 CVE-2015-5377 

Reference:         ASB-2015.0071

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21964010

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple security vulnerabilities in ElasticSearch might 
affect Process Federation Server (PFS) in IBM Business Process Manager (BPM) -
CVE-2015-5531, CVE-2015-5377

Document information

More support for:

IBM Business Process Manager Advanced

Security

Software version:

8.5.6

Operating system(s):

AIX, Linux, Linux zSeries, Solaris, Windows

Reference #:

1964010

Modified date:

2015-08-14

Security Bulletin

Summary

IBM Process Federation Server (PFS) is an optional component that is shipped 
with IBM Business Process Manager (BPM) V8.5.6.0. It allows the collection of
task information of existing IBM Business Process Manager environments to 
provide a federated task list. PFS uses the ElasticSearch open source library
to provide a highly scalable infrastructure. Security vulnerabilities that 
have been disclosed by the ElasticSearch project might affect PFS.

Vulnerability Details

CVEID: CVE-2015-5377

DESCRIPTION: Elasticsearch could allow a remote attacker to execute arbitrary
code on the system, caused by an error in the transport protocol. An attacker
could exploit this vulnerability to execute arbitrary code on the system.

CVSS Base Score: 7.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/104849 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-5531

DESCRIPTION: Elasticsearch could allow a remote attacker to traverse 
directories on the system. An attacker could send a specially-crafted URL 
request containing ""dot dot"" sequences (/../) using the JVM process to read
arbitrary files on the system.

CVSS Base Score: 5.3

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/104848 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Process Federation Server that is shipped as an optional component with 
IBM Business Process Manager V8.5.6.0.

Remediation/Fixes

A single fix will be provided to address both vulnerabilities. The fix will 
upgrade the version of ElasticSearch to address these two vulnerabilities, but
it will also introduce a new security safeguard that enforces authentication 
when ElasticSearch cluster members communicate with one another using their 
proprietary transport protocol. This additional safeguard will help protect 
PFS customers against potential future vulnerabilities.

The fix is expected in first quarter 2016.

Workarounds and Mitigations

As an immediate mitigation, the following configuration measures are 
recommended:

1. According to the ElasticSearch security issues page CVE-2015-5531 is caused by
   a flaw in ElasticSearch's snapshot API. For protection, all ElasticSearch REST
   APIs have been disabled in PFS by default. Required functionality is provided
   using PFS REST APIs.

   If it is necessary to use the ElasticSearch REST APIs, for example to use open
   source administrative utilities on top of ElasticSearch, then these APIs can 
   be enabled by authorizing users to call a PFS forwarder application that will
   enforce authentication and authorization before forwarding the request to the
   ElasticSearch API. There are three authorization roles to restrict access to 
   ElasticSearch APIs via the forwarder application. Only the bpmadmin role 
   provides access to the snapshot API.

   In order to mitigate CVE-2015-5531, we recommend that you do not enable the 
   forwarder application for the bpmadmin role, thereby keeping the ElasticSearch
   REST APIs inaccessible. If you have a need to enable access to the 
   ElasticSearch API, ensure a minimal set of authorized users.

2. CVE-2015-5377 is a remote code execution vulnerability in which a malicious 
   client can connect to a TCP port provided by ElasticSearch for communication 
   between cluster members. Establish firewall rules that allow inbound traffic 
   to the port specified in transport.tcp.port only from machines that host other
   PFS cluster members.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

IBM Process Federation Server documentation

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

ElasticSearch security issues page

Change History

2015-08-14 - initial version published.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVdE+9n6ZAP0PgtI9AQLkJQ//TzjIBvhCeQdcDEgHoV1xDZ5kwIjkx02Y
m0+79AeIVkqYWRl9R9izGc3nxAQlOFweuVOoo/8gFMayDIGih0t3OKpZC2AO8fQu
zvSD1zBoywv8oFRto6Yw3pjjztIVHXhGDwZJvMi0ZsU7Bj1GEwK/f9HTiAmL97Ov
1De1mXyz0J3NySzLx/fQGaKTNPAZ6AMzO21u4OmjB4v/7wu1OwvjGFTnF6PlDg9R
4345HqjhErhP9tkeKmsz5ownQUJg1PJODuI8S4syZ8CrPTE0PPaP1h+tW5LEXk3O
bAkwM5VgIvviXEX/LRrJgAaxDk1JbSBK8oM0rG+OnH7Tmb06qYf1ZHQQ92hBdvVN
OOkNVSGt5gpBtIoI7WxPOdGVMqY1DZFEfSnmTDQwJ/29C1Q+a5G7w2m/xsXLjx7Z
cxEuEE4aQ+g+reBOLFQy+6xSIZ7jYRn6hL2Sw8VVWZGvKfz1S/bv1kEBCdviWTgs
vSf7ZHmIQ6OsZlX6E2PSdPVM5QsQ3suZXbZAhFAQkWBDFwgc5/1cl3F6GBdDuXnb
vXjOZZEL5nJbbnUzcafe8y4SakerN7bRa64yD0bMq2CiCvmHKoR4F1yX+WWRJ+j1
1gQlFnQTqdklT193kmc5G+FC7dnB0NSsi+zqPQPILSMzrBBDYPmRlwwBt35SHrIN
kLBAi/OWJzE=
=HcqS
-----END PGP SIGNATURE-----