Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator

Summary

IBM Business Process Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise.

Vulnerability Details

Review the following security bulletins for IBM Business Process Manager for vulnerability details and information about fixes.

• Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition

• IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (CVE-2016-5901)

• IBM Security Bulletin: HTML injection vulnerability in Business Space might affect IBM Business Process Manager (CVE-2016-3056)

• IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-9748, CVE-2016-1669)

• IBM Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)
  

• Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-0254)

• Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016)

• Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-0306)

• Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)

• Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227)

• Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager Process Portal (CVE-2015-8524) ** **

• Security Bulletin: IBM Business Process Manager authorization checks for process and task deletion are insufficient (CVE-2015-7463)

• Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)

• Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-7417)

• Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)

• Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)

• Security Bulletin: Vulnerability in Apache Commons affects IBM Business Process Manager (CVE-2015-7450)

• Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)

• Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager dashboards (CVE-2015-4955)

• Security Bulletin: IBM Business Process Manager (BPM) document store is susceptible to XXE (XML External Entity) attacks. (CVE-2013-5452)[

](<http://www.ibm.com/support/docview.wss?uid=swg21965001&gt;)

• Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1932, CVE-2015-4938, CVE-2015-1946)

• Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)

• Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (Java CPU July 2015 - CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)

• Security Bulletin: Multiple security vulnerabilities in ElasticSearch might affect Process Federation Server (PFS) in IBM Business Process Manager (BPM) - CVE-2015-5531, CVE-2015-5377[

](<http://www.ibm.com/support/docview.wss?uid=swg21697944&gt;)

• Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) error handling (CVE-2015-0193)
  
• [Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)

](<http://www.ibm.com/support/docview.wss?uid=swg21699938&gt;)

• Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1885, CVE-2015-1946, CVE-2015-1927)[

](<http://www.ibm.com/support/docview.wss?uid=swg21903346&gt;)

• Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Process Manager (BPM), WebSphere Process Server (WPS), and WebSphere Lombardi Edition (WLE): CVE-2015-1920

• Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)

• Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-4000)

• Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-2808)[

](<http://www.ibm.com/support/docview.wss?uid=swg21699935&gt;)

• Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-0138 CVE-2014-6593 CVE-2015-0400 CVE-2015-0410)

• Security Bulletin: Multiple vulnerabilities in IBM SDK for Java Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2014-6512, CVE-2014-6457, CVE-2014-6558, CVE-2014-3566)

• Security Bulletin: Vulnerability in SSLv3 affects IBM Business Process Manager (CVE-2014-3566)

• Security Bulletin: TLS padding vulnerability affects IBM HTTP Server shipped with IBM Business Process Manager family products (CVE-2014-8730)

• • Security Bulletin: Cross-Site Scripting vulnerabilities in Dojo affect IBM Business Process Manager (BPM), WebSphere Lombardi Edition (WLE), and WebSphere Process Server (WPS) - CVE-2014-8917

Affected Products and Versions

** Principal Product and Version**

| ** Affected Supporting Product and Version**
—|—
IBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2
IBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2| IBM Business Process Manager Standard 8.5.6
IBM Cloud Orchestrator 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3

IBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3

| IBM Business Process Manager Standard 8.5.0.1
IBM SmartCloud Orchestrator 2.3 and 2.3.0.1

IBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1

| IBM Business Process Manager Standard 8.5