Security Bulletin: Persistent cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1140)

Summary

IBM Business Proccess Manager is vulnerable to persistent cross-site scripting, caused by improper neutralization of user-supplied input.

Vulnerability Details

CVEID: CVE-2017-1140**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/_121905 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2016.12

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR57397 as soon as practical:

• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

For IBM BPM V8.0.0.0 through V8.0.1.3

• Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR57397

For IBM BPM V8.5.0.0 through V8.5.0.2

• Install Fix Pack 2 as required by iFix and then apply iFix JR57397

For IBM BPM V8.5.5.0

• Apply iFix JR57397

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2

• Install CF2 as required by iFix and then apply iFix JR57397

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2016.12

• Install CF 2017.03

Workarounds and Mitigations

None