Lucene search

K
ibmIBMB06372E22928A8874F1218A89C0A18BCC82B9D67C1CBDA3A714A795B2472DCB2
HistorySep 15, 2022 - 7:26 p.m.

Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1767)

2022-09-1519:26:17
www.ibm.com
23
ibm business process manager
cross-site scripting
vulnerability
version 8.5.5.0
version 8.5.6.0
version 8.5.7.0
version 8.6.0.0
cve-2017-1767
credentials disclosure

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.9%

Summary

Cross-site scripting vulnerability in an instance user interface affects IBM Business Process Manager.

Vulnerability Details

CVEID: CVE-2017-1767 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/136152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2017.12

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR58901 as soon as practical:

  • IBM Business Process Manager
  • IBM Business Process Manager Advanced
  • IBM Business Process Manager Standard
  • IBM Business Process Manager Express

For IBM BPM V8.6.0.0 thorugh V8.6.0.0 CF 2017.12

  • Install CF 2018.03 or later

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06

  • Install CF 2017.06 and then apply iFix JR58901

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2

  • Install CF2 as required by iFix and then apply iFix JR58901

For IBM BPM V8.5.5.0

  • Apply iFix JR58901

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_process_managerMatch8.6
OR
ibmbusiness_process_managerMatch8.6.0.
OR
ibmbusiness_process_managerMatch201712
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201706advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201703advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201612advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201609advanced
OR
ibmbusiness_process_managerMatch8.5.7.advanced
OR
ibmbusiness_process_managerMatch201606advanced
OR
ibmbusiness_process_managerMatch8.5.7advanced
OR
ibmbusiness_process_managerMatch8.5.6.2advanced
OR
ibmbusiness_process_managerMatch8.5.6.1advanced
OR
ibmbusiness_process_managerMatch8.5.6advanced
OR
ibmbusiness_process_managerMatch8.5.5advanced
OR
ibmbusiness_process_managerMatch8.6express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201706express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201703express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201612express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201609express
OR
ibmbusiness_process_managerMatch8.5.7.express
OR
ibmbusiness_process_managerMatch201606express
OR
ibmbusiness_process_managerMatch8.5.7express
OR
ibmbusiness_process_managerMatch8.5.6.2express
OR
ibmbusiness_process_managerMatch8.5.6.1express
OR
ibmbusiness_process_managerMatch8.5.6express
OR
ibmbusiness_process_managerMatch8.5.5express
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201706standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201703standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201612standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201609standard
OR
ibmbusiness_process_managerMatch8.5.7.standard
OR
ibmbusiness_process_managerMatch201606standard
OR
ibmbusiness_process_managerMatch8.5.7standard
OR
ibmbusiness_process_managerMatch8.5.6.2standard
OR
ibmbusiness_process_managerMatch8.5.6.1standard
OR
ibmbusiness_process_managerMatch8.5.6standard
OR
ibmbusiness_process_managerMatch8.5.5standard
VendorProductVersionCPE
ibmbusiness_process_manager8.6cpe:2.3:a:ibm:business_process_manager:8.6:*:*:*:*:*:*:*
ibmbusiness_process_manager8.6.0.cpe:2.3:a:ibm:business_process_manager:8.6.0.:*:*:*:*:*:*:*
ibmbusiness_process_manager201712cpe:2.3:a:ibm:business_process_manager:201712:*:*:*:*:*:*:*
ibmbusiness_process_manager8.5.7.cpe:2.3:a:ibm:business_process_manager:8.5.7.:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201706cpe:2.3:a:ibm:business_process_manager:201706:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201703cpe:2.3:a:ibm:business_process_manager:201703:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201612cpe:2.3:a:ibm:business_process_manager:201612:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201609cpe:2.3:a:ibm:business_process_manager:201609:*:*:*:advanced:*:*:*
ibmbusiness_process_manager201606cpe:2.3:a:ibm:business_process_manager:201606:*:*:*:advanced:*:*:*
ibmbusiness_process_manager8.5.7cpe:2.3:a:ibm:business_process_manager:8.5.7:*:*:*:advanced:*:*:*
Rows per page:
1-10 of 371

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

33.9%

Related for B06372E22928A8874F1218A89C0A18BCC82B9D67C1CBDA3A714A795B2472DCB2