Security Bulletin: File path traversal vulnerability affecting IBM Business Process Manager Process Center (CVE-2014-6182)

Summary

An export function in IBM Business Process Manager Process Center is vulnerable to file path traversal. As a result, sensitive files might be downloaded.

Vulnerability Details

CVE-ID: CVE-2014-6182

Description:
IBM Business Process Manager could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing ‘dot dot’ sequences (/…/) to view arbitrary files on the system.

CVSS Base Score: 4.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/98518&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

• • IBM Business Process Manager Standard V8.0.x 8.5.x
• IBM Business Process Manager Express V8.0.x 8.5.x
• IBM Business Process Manager Advanced V8.0.x 8.5.x

Remediation/Fixes

Install the interim fix for APAR JR51234 as appropriate for your current IBM Business Process Manager version. Please note that on IBM Business Process Manager 8.0.1.3 the APAR is JR52424.

* [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR51234,JR52424>)
* [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR51234,JR52424>)
* [IBM Business Process Manager Advanced](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR51234,JR52424>)

Workarounds and Mitigations

None