Security Bulletin: Potential information leakage during process app export in IBM Business Process Manager (CVE-2017-1346)

2018-06-1507:07:39

www.ibm.com

EPSS

Percentile

5.1%

JSON

Summary

IBM Business Proccess Manager temporarily stores files in an usually shared directory during offline installs and thus might leak sensitive information stored in the files.

Vulnerability Details

CVEID: CVE-2017-1346**
DESCRIPTION:** IBM Business Process Manager temporarily stores files in a temporary folder during offline installs which could be read by a local user within a short timespan.
CVSS Base Score: 2.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/126461> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

- IBM Business Process Manager V7.5.0.0 through V7.5.1.2

- IBM Business Process Manager V8.0.0.0 through V8.0.1.3

- IBM Business Process Manager V8.5.0.0 through V8.5.0.2

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.03

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or CF containing APAR JR57917 as soon as practical:

As IBM Business Process Manager V7.5 is out of general support, customers with a support extension contract can contact IBM support to request the fix.

For IBM BPM V7.5.0.0 through V7.5.1.2: