Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2421 Security Bulletin: IBM 25 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Business Process Manager IBM WebSphere Process Server IBM WebSphere Enterprise Service IBM WebSphere Lombardi Edition Publisher: IBM Operating System: AIX Solaris Linux variants Windows z/OS Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-1000381 CVE-2017-11499 CVE-2017-10053 CVE-2017-1539 CVE-2017-1501 CVE-2017-1425 CVE-2017-1424 CVE-2017-1382 CVE-2017-1346 CVE-2013-0464 Reference: ESB-2017.2184 ESB-2017.2179 ESB-2017.2102 ESB-2013.0765 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg22004654 http://www-01.ibm.com/support/docview.wss?uid=swg22005112 http://www-01.ibm.com/support/docview.wss?uid=swg22005596 http://www-01.ibm.com/support/docview.wss?uid=swg22006265 http://www-01.ibm.com/support/docview.wss?uid=swg22006348 http://www-01.ibm.com/support/docview.wss?uid=swg22007168 http://www-01.ibm.com/support/docview.wss?uid=swg22007343 http://www-01.ibm.com/support/docview.wss?uid=swg22007451 http://www-01.ibm.com/support/docview.wss?uid=swg22008025 http://www-01.ibm.com/support/docview.wss?uid=swg22004654 Comment: This bulletin contains ten (10) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Potential information leakage during process app export in IBM Business Process Manager (CVE-2017-1346) Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 2004654 Modified date: 22 September 2017 Security Bulletin Summary IBM Business Proccess Manager temporarily stores files in an usually shared directory during offline installs and thus might leak sensitive information stored in the files. Vulnerability Details CVEID: CVE-2017-1346 DESCRIPTION: IBM Business Process Manager temporarily stores files in a temporary folder during offline installs which could be read by a local user within a short timespan. CVSS Base Score: 2.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/126461 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.03 Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR57917 as soon as practical: IBM Business Process Manager Advanced IBM Business Process Manager Standard IBM Business Process Manager Express For IBM BPM V7.5.0.0 through V7.5.1.2: Upgrade to minimal Refresh Pack 1, install Fix Pack 2 as required by iFix and then apply iFix JR57917 For IBM BPM V8.0.0.0 through V8.0.1.3 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR57917 For IBM BPM V8.5.0.0 through V8.5.0.2 - - Install Fix Pack 2 as required by iFix and then apply iFixes JR57917 For IBM BPM V8.5.5.0 - - Apply iFixes JR57917 For IBM BPM V8.5.6.0 through V8.5.6.0 CF2 - - Install CF2 as required by iFix and then apply iFixes JR57917 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.03 - - Install CF 2017.06 Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 30 September 2017: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: HTML injection vulnerability in IBM Business Process Manager (BPM) - CVE-2017-1424 Document information More support for: IBM Business Process Manager Advanced Security Software version: 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2005112 Modified date: 22 September 2017 Security Bulletin Summary IBM BPM allows users to interact with one another without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection. Vulnerability Details CVEID: CVE-2017-1424 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127477 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions - - IBM Business Process Manager Advanced V8.5.7.0 including cumulative fix 2017.06 Remediation/Fixes For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Install CF 2017.06 as required by iFix and then apply iFix JR58043 - - IBM Business Process Manager Advanced - - IBM Business Process Manager Standard - - IBM Business Process Manager Express Workarounds and Mitigations Disable all Social Features or Mentions feature within the Social Feature by setting com.ibm.bpm.portal.disableSocial=all or com.ibm.bpm.portal.disableSocial=mentions.. Consult the documentation https://www.ibm.com/support/knowledgecenter/en/SSFTN5_8.5.7/com.ibm.wbpm.admin.doc/topics/tadm_portal_customprops_mashups.html for detail. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 Sep 2017: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: Cross-Site Scripting vulnerability in Business Space Help affects IBM Business Process Manager (BPM) and WebSphere Process Server (WPS) - - CVE-2013-0464 Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2005596 Modified date: 22 September 2017 Security Bulletin Summary IBM Eclipse Help System bundled with Business Space Help is vulnerable to Cross-Site Scripting. Vulnerability Details CVEID: CVE-2013-0464 DESCRIPTION: IBM Eclipse Help System, as used in multiple IBM products, is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81060 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Affected Products and Versions - - WebSphere Process Server V7.0.0.0 - V7.0.0.5 (and likely earlier unsupported versions) - - IBM Business Process Manager Advanced V7.5.0.0 - V7.5.1.2 - - IBM Business Process Manager all editions V8.0.0.0 - V8.0.1.3 - - IBM Business Process Manager all editions V8.5.0.0 - V8.5.7.0 including cumulative fix 2017.06 Remediation/Fixes Install IBM BPM or WLE interim fix JR58150 as appropriate for your current version. IBM Business Process Manager Advanced IBM Business Process Manager Standard IBM Business Process Manager Express As IBM Business Process Manager V7.5 and WebSphere Process Server are out of general support, customers with a support extension contract can contact IBM support to request the fix. For WebSphere Process Server 7.0.0.0 through 7.0.0.5 - - Install Fix Pack 5 as required by iFix and then apply iFix JR58150 For IBM BPM V7.5.0.0 through V7.5.1.2: - - Upgrade to minimal Refresh Pack 1, install Fix Pack 2 as required by iFix and then apply iFix JR58150 For IBM BPM V8.0.0.0 through V8.0.1.3 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR58150 For IBM BPM V8.5.0.0 through V8.5.0.2 - - Install Fix Pack 2 as required by iFix and then apply iFix JR58150 For IBM BPM V8.5.5.0 - - Apply iFix JR58150 For IBM BPM V8.5.6.0 through V8.5.6.0 CF2 - - Install CF2 as required by iFix and then apply iFix JR58150 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Install CF 2017.06 and then apply iFix JR58150 Workarounds and Mitigations Uninstall the BusinessSpaceHelp application and use IBM hosted help instead. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 Sep 2017: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (BPM) - CVE-2017-1425 Document information More support for: IBM Business Process Manager Advanced Security Software version: 8.0.1.1, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2006265 Modified date: 22 September 2017 Security Bulletin Summary IBM BPM reflects untrusted user input without fully removing HTML markup. This might allow controlling parts of the user interface, possibly script injection. Vulnerability Details CVEID: CVE-2017-1425 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127478 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions - - IBM Business Process Manager V8.0.1.1 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Note that release 8.0.1.2, 8.0.1.3, 8.5.5.0, and 8.5.6 (including cumulative fixes) are NOT affected. Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR58044 as soon as practical: IBM Business Process Manager Advanced IBM Business Process Manager Standard IBM Business Process Manager Express For IBM BPM V8.0.1.1 - - Install Fix Pack 3 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Install CF 2017.06 as required by iFix and then apply iFix JR58044 Workarounds and Mitigations None References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement The vulnerability was reported to IBM by Nalla Muthu SandPrasath K Change History 30 Sep 2017: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition (CVE-2017-1382) Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2006348 Modified date: 22 September 2017 Security Bulletin Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server Liberty is shipped as a component of the optional BPM component Process Federation Server. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published in a security bulletin. Vulnerability Details Please consult the security bulletin Security Bulletin: WebSphere Application Server may have insecure file permissions (CVE-2017-1382) Affected Products and Versions - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 - - WebSphere Process Server V7.0.0.0 through V7.0.0.5 - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 30 September 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor Document information More support for: IBM Business Process Manager Advanced Security Software version: 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2007168 Modified date: 22 September 2017 Security Bulletin Summary Security vulnerabilities have been reported for IBM SDK for Node.js. IBM Business Process Manager includes a stand-alone tool for editing configuration properties files that is based IBM SDK for Node.js. Vulnerability Details CVEID: CVE-2017-1000381 DESCRIPTION: c-ares could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the ares_parse_naptr_reply() function when parsing NAPTR responses. By sending specially crafted DNS response packet, an attacker could exploit this vulnerability to read memory outside of the given input buffer and cause a denial of service. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128625 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) CVEID: CVE-2017-11499 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by a flaw related to constant HashTable seeds. A remote attacker could exploit this vulnerability to flood the hash and cause a denial of service. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/129465 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions IBM Business Process Manager V8.5.5.0 - V8.5.7.0 including cumulative fix 2017.06 Remediation/Fixes Install IBM Business Process Manager interim fix JR58231 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. IBM Business Process Manager Advanced IBM Business Process Manager Standard IBM Business Process Manager Express For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Install CF 2017.06 and then apply iFix JR58231 For IBM BPM V8.5.6.0 through V8.5.6.0 CF2 - - Install CF2 as required by iFix and then apply iFix JR58231 For IBM BPM V8.5.5.0 - - Apply iFix JR58231 Workarounds and Mitigations IBM BPM Configuration Editor is a stand-alone tool for editing properties file. Use a standard text file editor instead. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 IBM BPM Configuration Editor Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 Sep 2017: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager (CVE-2017-1501) Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2007343 Modified date: 22 September 2017 Security Bulletin Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. Vulnerability Details Please consult the security bulletin Security Bulletin: Potential security vulnerability in the WebSphere Application Server Admin Console (CVE-2017-1501) Affected Products and Versions - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Note that the vulnerability only affects WebSphere Application Server V8.0 and later, thus BPM 7.5, WebSphere Lombardi Edition and WebSphere Process Server are not affected. Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 September 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: privilege escalation in IBM Business Process Manager (BPM) - - CVE-2017-1539 Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2007451 Modified date: 22 September 2017 Security Bulletin Summary Synchronization between the user registry and the IBM BPM database lead to invalid memberships in case there is an internal group in the IBM BPM database and a group in the user registry with the same name. Vulnerability Details CVEID: CVE-2017-1539 DESCRIPTION: IBM Business Process Manager is vulnerable to privilege escalation by not properly distinguishing internal group memberships from user registry group memberships. By manipulating LDAP group membership an attack might gain privileged access. CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130807 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Remediation/Fixes The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR58241 as soon as practical: IBM Business Process Manager Advanced IBM Business Process Manager Standard IBM Business Process Manager Express As IBM Business Process Manager V7.5 is out of general support, customers with a support extension contract can contact IBM support to request the fix. For IBM BPM V8.0.0.0 through V8.0.1.3 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR58241 For IBM BPM V8.5.0.0 through V8.5.0.2 - - Install Fix Pack 2 as required by iFix and then apply iFix JR58241 For IBM BPM V8.5.5.0 - - Apply iFixes JR58241 For IBM BPM V8.5.6.0 through V8.5.6.0 CF2 - - Install CF2 as required by iFix and then apply iFix JR58241 For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Install CF 2017.06 as required by iFix and then apply iFix JR58241 Workarounds and Mitigations None References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 Sep 2017: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager (BPM), WebSphere Process Server (WPS), WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition (WLE) (Java CPU July 2017) Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2008025 Modified date: 22 September 2017 Security Bulletin Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, WebSphere Enterprise Service Bus, and WebSphere Lombardi Edition. WebSphere Application Server Liberty is shipped as a component of the optional BPM component Process Federation Server. Information about security vulnerabilities affecting IBM WebSphere Application Server Traditional and IBM WebSphere Application Server Liberty have been published in a security bulletin. Vulnerability Details Please consult the Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affects WebSphere Application Server July 2017 CPU for vulnerability details and information about fixes. Additionally, IBM BPM might be affected by the following vulnerability: CVEID: CVE-2017-10053 DESCRIPTION: An unspecified vulnerability related to the Java SE 2D component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/128822 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) Affected Products and Versions - - WebSphere Process Server V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5 (and earlier unsupported releases) - - WebSphere Enterprise Service Bus V7.0.0.0 through V7.0.0.5 (and earlier unsupported releases) - - WebSphere Enterprise Service Bus V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Note that 8.5.7.0 Cumulative Fix 2017.03 and 2017.06 cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed. For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product. Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 September 2017: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --- Security Bulletin: XML External Entity (XXE) injection vulnerability affects IBM Business Process Manager (CVE-2017-1527) Document information More support for: IBM Business Process Manager Advanced Security Software version: 7.5, 7.5.0.1, 7.5.1, 7.5.1.1, 7.5.1.2, 8.0, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.5, 8.5.0.1, 8.5.0.2, 8.5.5, 8.5.6, 8.5.6.1, 8.5.6.2, 8.5.7.CF201606, 8.5.7.CF201609, 8.5.7.CF201612, 8.5.7.CF201703, 8.5.7.CF201706, 8.5.7 Operating system(s): AIX, Linux, Solaris, Windows, z/OS Reference #: 2007346 Modified date: 22 September 2017 Security Bulletin Summary IBM Business Process Manager (BPM) can process XML messages, including messages from untrusted sources. Because of insufficient restriction of an XML parser, XML External Entity injection allows an authenticated remote attacker to send specially crafted XML messages and thus cause a denial of service by exhausting system resources or exfiltrate sensitive information. Vulnerability Details CVEID: CVE-2017-1527 DESCRIPTION: IBM Business Process Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base Score: 7.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130156 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) Affected Products and Versions - - IBM Business Process Manager V7.5.0.0 through V7.5.1.2 - - IBM Business Process Manager V8.0.0.0 through V8.0.1.3 - - IBM Business Process Manager V8.5.0.0 through V8.5.0.2 - - IBM Business Process Manager V8.5.5.0 - - IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2 - - IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06 Remediation/Fixes Install IBM BPM interim fix JR58188 as appropriate for your current version. IBM Business Process Manager Advanced IBM Business Process Manager Standard IBM Business Process Manager Express As IBM Business Process Manager V7.5 is out of general support, customers with a support extension contract can contact IBM support to request the fix. For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06 - - Install CF 2017.06 and then apply iFix JR58188 For IBM BPM V8.5.6.0 through V8.5.6.0 CF2 - - Install CF2 as required by iFix and then apply iFix JR58188 For IBM BPM V8.5.5.0 - - Apply iFix JR58188 For IBM BPM V8.5.0.0 through V8.5.0.2 - - Install Fix Pack 2 as required by iFix and then apply iFix JR58188 For IBM BPM V8.0.0.0 through V8.0.1.3 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR58188 For IBM BPM V7.5.0.0 through V7.5.1.2 - - Upgrade to minimal Refresh Pack 1, install Fix Pack 2 as required by iFix and then apply iFix JR58188 Workarounds and Mitigations None Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site . Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement The vulnerability was reported to IBM by Sergio Ortega Fernndez (PwC Espaa - BSS). Change History 22 Sep 2017: initial version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWchdzox+lLeg9Ub1AQi0qQ//dzL9yauQn9pW2skYqjXFnpsZ/gV1QpVx u2AZ8jBhtUZ4/8toTFTDz8iE0nAmquQ4Qj4T7j5C8REGZdC20XrayYRFKOdoadQI hGM9P6lrzq7w5D4/JjEMVOS4uTe7xpoGlWyeVJuhkuKSc7QinM3l7r3gp25PNaSd +PgfCpUvvZzonGf+yJwGJbXxQLY843n7EP1kgaew73dHGMpnwJX/ULOO1WZkN+t/ oADtUhXwWWDRWQszP5VSewuSLp/ymAKvRhqHN+wtp267WbDv3DFtH6l7Nui8CziP 1skhWHttEU3foaw198F7YnUafhqYqR8Mg1Dw7hkUniD9ul2ePxAG2apN7EWyg6oE 1rJxXFnFyQHHV7o59FltwR5U43jLBmPwdtthn0pKNAzdZIkpoPoCQNAZtXKsVXN9 AhXdpPY+Xj+zeuAu/LMH3yKgJdwLUKDrvi6eNlyIwNuY7gtkl/ot170cMS4cCsya I6oP/jQkLxZRE4H7DxpJG0UYXkk/nHJTYzs6xZa4DKR7VYOQ1MB1qZ5sMt0SY9CK 5Juv+KzPhkiJRICaqjbCzccoXVhgwwamx04ZPnzGkImePSDVqIM+DKI3EYT5NSP4 cUa1HqsYCTBFscUg7TE0coZpHCMw+wLsQGOwXipDEbWqIW5jFZyo7k62QsZdeR/f 3IPa9PtVYKQ= =1Osy -----END PGP SIGNATURE-----