5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
IBM Business Process Manager V8.5.5 provides a standalone tool for editing configuration properties files that is called the “IBM BPM Configuration editor.” This editor is based on open source Node.js technology. A security vulnerability has been reported for Node.js.
Note: The IBM BPM Configuration editor is an optional stand-alone tool. It can be extracted and started explicitly as described in the Configuring your environment graphically with the IBM BPM Configuration editor topic within the product documentation.
CVE ID:CVE-2014-5256
CVE-2014-5256
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95057> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Node.js is vulnerable to a denial of service that is caused by a memory corruption error. By sending an overly long JSON string, a remote attacker might exploit this vulnerability to cause a segmentation fault.
Install the interim fix for APAR JR51163 as appropriate for your current IBM Business Process Manager version.
* [_IBM Business Process Manager Express_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR51163>)
* [_IBM Business Process Manager Standard_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR51163>)
* [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR51163>)