Security Bulletin: IBM WebSphere Lombardi Edition and IBM Business Process Manager (BPM) cross-site scripting vulnerability in error situations (CVE-2014-0957)

Summary

When you invoke a service using a URL, user input can be returned in unhandled service failure situations.

Vulnerability Details

CVE ID: CVE-2014-0957 **DESCRIPTION: **
IBM WebSphere Lombardi Edition and IBM Business Process Manager are vulnerable to cross-site scripting that is caused by the improper validation of user-supplied input. A remote attacker might exploit this vulnerability using a specially crafted URL to execute a script in a user’s web browser within the security context of the hosting web site after the URL is clicked. An attacker might use this vulnerability to steal the cookie-based authentication credentials of the user.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.is__s.net/xforce/xfdb/92738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

• IBM Business Process Manager Standard V8.5.x, 8.0.x, and 7.5.x
• IBM Business Process Manager Express V8.5.x, 8.0.x, and 7.5.x
• IBM Business Process Manager Advanced V8.5.x, 8.0.x, and 7.5.x
• IBM WebSphere Lombardi Edition 7.2

Remediation/Fixes

Install interim fix JR49990 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version.

• IBM Business Process Manager Standard
• IBM Business Process Manager Express
• IBM Business Process Manager Advanced
• IBM WebSphere Lombardi Edition

If you are using earlier unsupported versions, IBM strongly recommends upgrading to a supported version.

Workarounds and Mitigations

None