IBM Business Process Manager that is bundled with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition has identified a vulnerability.
IBM Cloud Orchestrator has addressed this vulnerability. It includes IBM Business Process Manager V8.5.6 CF2.
CVEID: CVE-2016-6109**
DESCRIPTION:** IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118266 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Principal Product and Version(s)
| Affected Supporting Product and Version
—|—
IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3|
Business Process Manager 8.5.5 through V8.5.7 CF201703
IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4|
Business Process Manager V8.5.0.1 through 8.5.6 CF2
IBM Cloud Orchestrator V2.3, V2.3 0.1 |
Business Process Manager 8.5.0.1
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2, |
Business Process Manager 8.5.5 through V8.5.7 CF201703
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4|
Business Process Manager 8.5.5 through 8.5.6 CF2
IBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1|
Business Process Manager 8.5.0.1
This issue has been addressed by IBM Cloud Orchestrator (Standard and Enterprise Edition).
Product | VRMF | Remediation/First Fix |
---|---|---|
IBM Cloud Orchestrator | V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3 | For 2.5 versions, IBM recommends upgrading to Fix Pack 4 (2.5.0.4) of IBM Cloud Orchestrator. |
<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>
IBM Cloud Orchestrator | V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| For 2.4 versions, IBM recommends upgrading to Fix Pack 5 (2.4.0.5) of IBM Cloud Orchestrator.
https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049
IBM Cloud Orchestrator | V2.3, V2.3.0.1| Notice product withdrawal announcement as per ENUS917-138
Contact IBM Support
For preventive fix work around, see Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (BPM) (CVE-2016-6109).