IBM08D9A485FCCA9E51CE5F3A9C4F8F673C9C01A8E267417E8D5286C884D8732CF8Security Bulletin: Potential information leakage in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2017-1756)
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
20.2%
Summary
Due to incorrect cache headers sensitive information might be stored locally which can be accessed by another user on the same system.
Vulnerability Details
CVEID: CVE-2017-1756 DESCRIPTION: IBM Business Process Manager allows web pages to be stored locally which can be read by another user on the system.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/135856> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
- IBM Business Process Manager V7.5.0.0 through V7.5.1.2
- IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- IBM Business Process Manager V8.5.5.0
- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager V8.6.0.0
- IBM Business Process Manager Enterprise Service Bus V8.6.0.0
- WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR58706 as soon as practical:
- IBM Business Process Manager
- IBM Business Process Manager Advanced
- IBM Business Process Manager Standard
- IBM Business Process Manager Express
For IBM BPM V8.6.0.0 (released 2017.09)
- Apply iFix JR58706 or install CF 2017.12 or later
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
- Install CF 2017.06 and then apply iFix JR58706
For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
For IBM BPM V8.5.5.0
- Apply iFix JR58706
For IBM BPM V8.5.0.0 through V8.5.0.2
- Install Fix Pack 2 as required by iFix and then apply iFix JR58706
For IBM BPM V8.0.0.0 through V8.0.1.3
- Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR58706
For IBM BPM V7.5.0.0 through V7.5.1.2
- Upgrade to minimal Refresh Pack 1, install Fix Pack 2 as required by iFix and then apply iFix JR58706
For WebSphere Lombardi Edition V7.2.0.0 through V7.2.0.5
- Apply iFix JR58706
As IBM Business Process Manager V7.5, V8.0, and WebSphere Lombardi Edition are out of general support, customers with a support extension contract can contact IBM support to request the fix.
Workarounds and Mitigations
None
Affected configurations
Related
2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
4 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
20.2%