Security Bulletin: IBM Business Process Manager authorization checks for process and task deletion are insufficient (CVE-2015-7463)

Summary

An API to delete process and task data is incorrectly available for non administrative users.

Vulnerability Details

CVEID: CVE-2015-7463**
DESCRIPTION:** IBM Business Process Manager could allow an authenticated user to delete process and task data through a command that should only be available to administrators.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108393&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

• IBM Business Process Manager V7.5.x
• IBM Business Process Manager V8.0.x
• IBM Business Process Manager V8.5.0
• IBM Business Process Manager V8.5.5
• IBM Business Process Manager V8.5.6.0 up until including cumulative fix 2

Remediation/Fixes

Install the interim fixes for APAR JR54823 as appropriate for your current IBM Business Process Manager version.

• IBM Business Process Manager Express
• IBM Business Process Manager Standard
• IBM Business Process Manager Advanced

Please note that the fixes for 8.5.6.0 can be included in a future cumulative fix. See Fix list for the IBM Business Process Manager Version 8.5 products,

Workarounds and Mitigations

None