Security Bulletin: Security vulnerability in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2017-14919)

Summary

Security vulnerability has been reported for IBM SDK for Node.js. IBM Business Process Manager includes a stand-alone tool for editing configuration properties files that is based on IBM SDK for Node.js.

Vulnerability Details

CVEID: CVE-2017-14919 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an uncaught exception flaw in the zlib module. By making 8 an invalid value for the windowBits parameter, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/134286&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.6.0.0

Remediation/Fixes

Install IBM Business Process Manager interim fix JR58725 as appropriate for your current IBM Business Process Manager version.

• IBM Business Process Manager
• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

For IBM BPM V8.6.0.0 (released 2017.09)

• Install CF 2017.12 or later

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06

• Install CF 2017.06 and then apply iFix JR58725

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2

• Install CF2 as required by iFix and then apply iFix JR58725

For IBM BPM V8.5.5.0

• Apply iFix JR58725

Workarounds and Mitigations

IBM BPM Configuration Editor is a stand-alone tool for editing properties file. Use a standard text file editor instead.