Security Bulletin: A security vulnerability in Node.js affects the IBM Business Process Manager (BPM) configuration editor (CVE-2014-5256)

Summary

IBM Business Process Manager V8.5.5 provides a standalone tool for editing configuration properties files that is called the “IBM BPM Configuration editor.” This editor is based on open source Node.js technology. A security vulnerability has been reported for Node.js.

Vulnerability Details

Note: The IBM BPM Configuration editor is an optional stand-alone tool. It can be extracted and started explicitly as described in the Configuring your environment graphically with the IBM BPM Configuration editor topic within the product documentation.

CVE ID:CVE-2014-5256
CVE-2014-5256
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95057&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Node.js is vulnerable to a denial of service that is caused by a memory corruption error. By sending an overly long JSON string, a remote attacker might exploit this vulnerability to cause a segmentation fault.

Affected Products and Versions

• IBM Business Process Manager Standard V8.5.5.0
• IBM Business Process Manager Express V8.5.5.0
• IBM Business Process Manager Advanced V8.5.5.0

Remediation/Fixes

Install the interim fix for APAR JR51163 as appropriate for your current IBM Business Process Manager version.

* [_IBM Business Process Manager Express_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR51163>)
* [_IBM Business Process Manager Standard_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR51163>)
* [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR51163>)