Due to incorrect authorization for stop and resume Event Manager REST API, users without required permission can stop and resume the Event Manager in IBM Business Process Manager.
CVEID: CVE-2017-1628 DESCRIPTION: IBM Business Process Manager allows authenticated users to stop and resume the Event Manager by calling a REST API with incorrect authorization checks.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/133126> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
- IBM Business Process Manager V8.6.0.0
The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR JR58466 as soon as practical:
For IBM BPM V8.6.0.0 (released 2017.09)
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm business process manager | eq | 8.6.0.0 | |
ibm business process manager express | eq | 8.6.0 |