Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)

Summary

Business Space is a user interface framework that is available in WebSphere Process Server and IBM Business Process Manager (BPM). In IBM BPM Express Edition and Standard Edition the framework is not used directly by end users, however, it is still available and contributes parts of the Process Portal experience.

Multiple security vulnerabilities have been reported for Business Space. IBM has addressed the vulnerabilities in WebSphere Process Server and IBM Business Process Manager as described below.

Vulnerability Details

CVEID: CVE-2015-7407**
DESCRIPTION:** IBM Mashups is vulnerable to Server Side Request Forgery. A remote attacker might use specially crafted HTTP requests to IBM Mashups in order to make the Mashups servers call other reachable HTTP services in its network.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107433&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2015-7400**
DESCRIPTION:** IBM Business Process Manager is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107105&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7454**
DESCRIPTION:** IBM Business Process Manager could allow an authenticated user to create pages and spaces that they should not have access to due to improper access restrictions.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108333&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

• • WebSphere Process Server V6.1.2.0 - V7.0.0.5
• IBM Business Process Manager Advanced V7.5.0.0 - V7.5.1.2
• IBM Business Process Manager Advanced V8.0.0.0 - V8.0.1.3
• IBM Business Process Manager Advanced V8.5.0.0 - V8.5.6.0

Remediation/Fixes

Install IBM Business Process Manager interim fix JR54678 as appropriate for your current IBM Business Process Manager version.

• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

Please note that JR55592 was made available for download (but not officially announced in a security bulletin) to address CVE-2014-8912. On BPM V8.0 and later, JR55592 overwrites some of the changes of JR54678 and thus reintroduces CVE-2015-7400. The correct fix for CVE-2014-8912 is JR56078 which supersedes JR55592 as announced in Security Bulletin: Security vulnerability in Business Space affects IBM Business Process Manager and WebSphere Process Server (CVE-2014-8912).

For any version of WebSphere Prcoess Server, IBM recommends upgrading to a fixed, supported version/release/platform of the IBM Business Process Manager Advanced.

Workarounds and Mitigations

Not applicable