IBM0CAE665A338D4A9E6593AFF54CC6531FEE53F0A94444718999D754E079B9F9E5Security Bulletin: Information leakage in IBM Business Process Manager (CVE-2017-1765)
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
39.8%
Summary
Sensitive information about the application server is revealed during snapshot export in IBM Business Process Manager.
Vulnerability Details
CVEID: CVE-2017-1765 DESCRIPTION: IBM Business Process Manager could allow an authenticated user with special privileges to reveal sensitive information about the application server.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136150> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
- IBM Business Process Manager V8.0.0.0 through V8.0.1.3
- IBM Business Process Manager V8.5.0.0 through V8.5.0.2
- IBM Business Process Manager V8.5.5.0
- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2
- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06
- IBM Business Process Manager V8.6.0.0
- IBM Business Process Manager Enterprise Service Bus V8.6.0.0
Remediation/Fixes
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR58727 as soon as practical:
- IBM Business Process Manager
- IBM Business Process Manager Advanced
- IBM Business Process Manager Standard
- IBM Business Process Manager Express
For IBM BPM V8.6.0.0 (released 2017.09)
- Apply iFix JR58727 or install CF 2017.12 or later
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
- Install CF 2017.06 and then apply iFix JR58727
For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
For IBM BPM V8.5.5.0
- Apply iFix JR58727
For IBM BPM V8.5.0.0 through V8.5.0.2
- Install Fix Pack 2 as required by iFix and then apply iFix JR58727
For IBM BPM V8.0.0.0 through V8.0.1.3
- Upgrade to minimal Refresh Pack 1, install Fix Pack 3 as required by iFix and then apply iFix JR58727
As IBM Business Process Manager V8.0 is out of general support, customers with a support extension contract can contact IBM support to request the fix.
Workarounds and Mitigations
None
Affected configurations
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
0.001 Low
EPSS
Percentile
39.8%