-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0806
  Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM
         Process Designer used in IBM Business Process Manager and
                        WebSphere Lombardi Edition
                               27 March 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Process Designer
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Modify Arbitrary Files         -- Remote/Unauthenticated
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-3253 CVE-2016-5552 CVE-2016-5549
                   CVE-2016-5548 CVE-2016-5547 CVE-2016-5546
                   CVE-2016-2183  

Reference:         ASB-2017.0028
                   ASB-2017.0005
                   ASB-2017.0001
                   ESB-2016.2263
                   ESB-2016.2239.2
                   ESB-2016.2238

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22000871

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM
Process Designer used in IBM Business Process Manager and WebSphere
Lombardi Edition

Document information

More support for: IBM Process Designer
General

Software version: 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2,
8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.7

Operating system(s): Windows

Reference #: 2000871

Modified date: 24 March 2017

Security Bulletin

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition
that is used by IBM Process Designer in IBM Business Process Manager and
WebSphere Lombardi Edition. These issues were disclosed as part of the
IBM Java SDK updates in January 2017.

Vulnerability Details

CVEID: CVE-2016-5546
DESCRIPTION: An unspecified vulnerability related to the Libraries component
has no confidentiality impact, high integrity impact, and no availability
impact.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120869 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2017-3253
DESCRIPTION: An unspecified vulnerability related to the 2D component
could allow a remote attacker to cause a denial of service resulting in
a high availability impact using unknown attack vectors.
CVSS Base Score: 7.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120868 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-5548
DESCRIPTION: An unspecified vulnerability related to the Libraries component
could allow a remote attacker to obtain sensitive information resulting
in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120864 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5549
DESCRIPTION: An unspecified vulnerability related to the Libraries component
could allow a remote attacker to obtain sensitive information resulting
in a high confidentiality impact using unknown attack vectors.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120863 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5547
DESCRIPTION: An unspecified vulnerability related to the Libraries component
could allow a remote attacker to cause a denial of service resulting in
a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120871 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-5552
DESCRIPTION: An unspecified vulnerability related to the Networking
component has no confidentiality impact, low integrity impact, and no
availability impact.
CVSS Base Score: 5.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/120872 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-2183
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the DES/3DES cipher, used as a part of the
SSL/TLS protocol. By capturing large amounts of encrypted traffic between
the SSL/TLS server and the client, a remote attacker able to conduct a
man-in-the-middle attack could exploit this vulnerability to recover the
plaintext data and obtain sensitive information. This vulnerability is
known as the SWEET32 Birthday attack.
CVSS Base Score: 3.7
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/116337 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects IBM Business Process Manager V7.5.x through
V8.5.7.0 and WebSphere Lombardi Edition V7.2.0.x.

Remediation/Fixes

The eclipse-based IBM Process Designer tool includes an instance of the
IBM SDK Java Technology Edition. In order to provide the fix for this
development tool, install APAR JR57474 for your version of IBM Business
Process Manager or WebSphere Lombardi Edition:

    IBM Business Process Manager Advanced
    IBM Business Process Manager Standard
    IBM Business Process Manager Express

As WebSphere Lombardi Edition and IBM Business Process Manager V7.5 are
out of general support, customers with a support extension contract can
contact IBM support to request the fix for download.

If you are on earlier unsupported releases, IBM strongly recommends
to upgrade.

Workarounds and Mitigations

None

References
Complete CVSS v3 Guide
On-line Calculator v3

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

23 March 2017: original document published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information

Segment			Product					Component	Platform	Version										Edition
Business Integration	IBM Business Process Manager Advanced	Security			8.5.7, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1,
												8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5

Business Integration	IBM Business Process Manager Standard	Security			8.5.7, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1,
												8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5

Business Integration	IBM Business Process Manager Express	Security			8.5.7, 8.5.6, 8.5.5, 8.5.0.2, 8.5.0.1, 8.5, 8.0.1.3, 8.0.1.2, 8.0.1.1,
												8.0.1, 8.0, 7.5.1.2, 7.5.1.1, 7.5.1, 7.5.0.1, 7.5

Business Integration	WebSphere Lombardi Edition		Security			7.2.0.5, 7.2.0.4, 7.2.0.3, 7.2.0.2, 7.2.0.1, 7.2

Product Alias/Synonym

WLE
PD
BPM

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWNhr8Yx+lLeg9Ub1AQiULxAAgx05VGd0EyxcKKx4MG43lEwRGAir9nzE
OE0EeT6SZDn3nLXQ8ObKCFnqWsoBvkUpDNSd2EqqYUa7H4PK6WhA1nZIjKH4EAew
bw3nM/lLs82mbFXFJ2GgPdMVYP40u4qE81bTt+HthSMlM7aY/t3LwcxxZJYf332R
8/hoSwQzgw3itWxSIGYj1ettjq114ZJIiUyjnIGI0ZDKFjrPwr5RL5zLRp1BT8nO
Z2bifrByenxqiVYLvdR/5cbCZDrMpWisdBMjw6fc+UtPfMFF59T+QH8HCDhzBhQb
Hmku7y7AKU2KNB8JTrXbU/DWPv0NvZXhXTxrLMS5eX8w3AWyEzqr2/ROIRbi+Wif
jfopDTtQJjgGEIJ5ErqzzqxO1BKOBtCUNhjeE9oIYhQfWZ9SkBUauoHINi8uG6hE
udJd+DNEVmPgKA2C9S4i7yuY0YVIMOFYShOTqx5RH1Aq9iuY5pS5CJF6qZ4ZLjrj
OD6QXSS0O8lRLOl1CZO0UF1BI1LU4VJM3OCGnuu3LG57fipmSpflMBCDQYqlSN0b
Ba1xaTtbjZo4VnTYxIlfocXxHpnuZ3TvFBy4cFCNuQumbtGtkjDkBj58cHi3lUbj
Cb2x8Jt6kq4r5407JVPPr5zkmVlt6afoyq+CHh6pnkzAmfoNoUgwVhEDxJkAs4QL
t3P0+9B7ik4=
=1TSt
-----END PGP SIGNATURE-----