Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2017-3737 CVE-2017-3738)

Summary

Security vulnerabilities have been reported for IBM SDK for Node.js. IBM Business Process Manager includes a stand-alone tool for editing configuration properties files that is based on IBM SDK for Node.js.

Vulnerability Details

CVEID: CVE-2017-3737 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw in the "error state" mechanism when directly calling SSL_read() or SSL_write() for an SSL object after receiving a fatal error. An attacker could exploit this vulnerability to bypass the decryption or encryption process and perform unauthorized actions.which is no longer an option since CVE-2016-0701.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136077&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2017-3738 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. An attacker could exploit this vulnerability to obtain information about the private key. Note: In order to exploit this vulnerability, the server would have to share the DH1024 private key among multiple clients, which is no longer an option since CVE-2016-0701.
CVSS Base Score: 3.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136078&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

For more information about the vulnerabilities fixed in the IBM SDK for Node.js runtime included in IBM BPM Configuration Editor, see Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ (CVE-2017-3737 CVE-2017-3738)

Affected Products and Versions

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2017.12

Remediation/Fixes

Install IBM Business Process Manager interim fix JR59057 as appropriate for your current IBM Business Process Manager version.

• IBM Business Process Manager
• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

For IBM BPM V8.6.0.0 through V8.6.0.0 CF 2017.12
· Upgrade to minimal cumulative fix levels as required by iFix and then apply iFix JR59057
--OR–
· Apply Cumulative Fix 2018.03 or later

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
· Apply Cumulative Fix 2017.06 and then apply iFix JR59057

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
· Apply CF2 as required by iFix and then apply iFix JR59057

For IBM BPM V8.5.5.0
· Apply iFix JR59057

Workarounds and Mitigations

IBM BPM Configuration Editor is a stand-alone tool for editing properties file. Use a standard text file editor instead.