IBM5F18F05938EA0A3F8F5DAEF4E8195FEE61B00AF5F88437727B28D99D8D03B403Security Bulletin: Multiple security vulnerabilities in IBM Business Process Manager affect IBM Cloud Orchestrator (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
Summary
IBM Business Process Manager that is bundled with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition, has identified multiple vulnerabilites.
IBM Cloud Orchestrator V2.4, has addressed these vulnerabilites . It includes IBM Business Process Manager V8.5.6 CF2.
Vulnerability Details
CVEID: CVE-2015-7407**
DESCRIPTION:** IBM Mashups is vulnerable to Server Side Request Forgery. A remote attacker might use specially crafted HTTP requests to IBM Mashups in order to make the Mashups servers call other reachable HTTP services in its network.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107433 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2015-7400**
DESCRIPTION:** IBM Business Process Manager is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote authenticated attacker could exploit this vulnerability to consume all available CPU resources and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107105 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
**
CVEID:** CVE-2015-7454**
DESCRIPTION:** IBM Business Process Manager could allow an authenticated user to create pages and spaces that they should not have access to due to improper access restrictions.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108333 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
Affected Principal Product and Version
| ** Affected Supporting Product and Version**
—|—
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM Business Process Manager V8.5.5 through V8.5.6
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.3, V2.3.0.1| IBM Business Process Manager V8.5.0.1
Remediation/Fixes
Product
| VRMF|Remediation/First Fix
—|—|—
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition| V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| For 2.4 versions, IBM recommends upgrading to Fix Pack 4 (2.4.0.4) of IBM Cloud Orchestrator.
https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049
IBM Cloud Orchestrator and Cloud Orchestrator Enterprise Edition | V2.3, V2.3.0.1| Contact IBM Support
Workarounds and Mitigations
None
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C