Security Bulletin: Cross-site scripting vulnerability in IBM Business Process Manager (CVE-2017-1767)

Summary

Cross-site scripting vulnerability in an instance user interface affects IBM Business Process Manager.

Vulnerability Details

CVEID: CVE-2017-1767 DESCRIPTION: IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/136152&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

- IBM Business Process Manager V8.5.5.0

- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2

- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.06

- IBM Business Process Manager V8.6.0.0 through V8.6.0.0 Cumulative Fix 2017.12

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR58901 as soon as practical:

• IBM Business Process Manager
• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

For IBM BPM V8.6.0.0 thorugh V8.6.0.0 CF 2017.12

• Install CF 2018.03 or later

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06

• Install CF 2017.06 and then apply iFix JR58901

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2

• Install CF2 as required by iFix and then apply iFix JR58901

For IBM BPM V8.5.5.0

• Apply iFix JR58901

Workarounds and Mitigations

None