Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)

Summary There are multiple vulnerabilities in IBM SDK Java™ Technology Edition that is used by IBM Process Designer in IBM Business Process Manager and WebSphere Lombardi Edition. These issues were disclosed as part of the IBM Java SDK updates for October 2015 and in the IBM Java SDK updates in...

Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)

Summary Business Space is a user interface framework that is available in WebSphere Process Server and IBM Business Process Manager BPM. In IBM BPM Express Edition and Standard Edition the framework is not used directly by end users, however, it is still available and contributes parts of the...

Security Bulletin: Vulnerability in Apache Commons affects IBM Business Process Manager (CVE-2015-7450)

Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Business Process Manager. Vulnerability Details CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system,...

Security Bulletin: Incorrect SSL/TLS handling in Remote Artifact Loader in IBM Business Process Manager Advanced and WebSphere Process Server

Summary IBM WebSphere Process Server and IBM Business Process Manager Advanced have a component "Remote Artifact Loader" RAL that allows access to artifacts contained in other applications. In remote access cases a HTTPS connection from the RAL client to the RAL server is established. This HTTPS...

Security Bulletin: Vulnerability in Apache Commons might affect WebSphere Industry Content Packs and IBM Business Process Manager Industry Packs (CVE-2015-7450)

Summary A vulnerability for handling Java object deserialization in the Apache Commons Collections open source library has been reported. A vulnerable version of the library is included in templates shipped with WebSphere Industry Content Packs and IBM Business Process Manager Industry Packs...

Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)

Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager and WebSphere Lombardi Edition. Information about security vulnerabilities affecting WebSphere Application Server has been published in security bulletins. Vulnerability Details Please consult the...

Security Bulletin: Multiple vulnerabilities in IBM HTTP Server shipped with WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition

Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager and WebSphere Lombardi Edition. Information about security vulnerabilities affecting IBM HTTP Server shipped with WebSphere Application Server have been published in security bulletins. Vulnerability...

Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager dashboards (CVE-2015-4955)

Summary Due to insufficient user input escaping IBM Business Process Manager dashboards are vulnerable to Cross-Site scripting. Vulnerability Details CVEID: CVE-2015-4955 DESCRIPTION: IBM Business Process Manager is vulnerable to reflected cross-site scripting, which is caused by the improper...

Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition

Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager and WebSphere Lombardi Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Please consult the...

Security Bulletin: Multiple security vulnerabilities in Elasticsearch might affect Process Federation Server in IBM Business Process Manager (BPM) - CVE-2015-5531, CVE-2015-5377

Summary IBM Process Federation Server is an optional component that is shipped with IBM Business Process Manager BPM V8.5.6.0. It allows the collection of task information of existing IBM Business Process Manager environments to provide a federated task list. IBM Process Federation Server uses th...

Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition

Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager and WebSphere Lombardi Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Please consult the...

Security Bulletin: IBM Business Process Manager (BPM) document store is susceptible to XXE (XML External Entity) attacks. (CVE-2013-5452)

Summary An XML eXternal Entity XXE vulnerability has been reported for the embedded component used by IBM BPM document store. Vulnerability Details CVEID: CVE-2013-5452 DESCRIPTION: The IBM FileNet Business Process Framework is vulnerable to an XML external entity attack. A remote attacker could...

Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (Java CPU July 2015)

Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager and WebSphere Lombardi Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Please consult the...

Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)

Summary IBM Business Process Manager offers integration with external Enterprise Content Management ECM systems. If a process app is configured to always connect to an external ECM system using a predefined technical system account rather than the actual end user, then the process app developer h...

Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-4000)

Summary The LogJam Attack on Diffie-Hellman ciphers CVE-2015-4000 may affect some configurations of IBM WebSphere Application Server Full Profile and IBM WebSphere Application Server Liberty Profile that are shipped as a component of WebSphere Lombardi Edition and IBM Business Process Manager. Th...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Process Manager (BPM), WebSphere Process Server (WPS), and WebSphere Lombardi Edition (WLE): CVE-2015-1920

Summary WebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, and WebSphere Lombardi Edition WLE. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability...

Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-2808)

Summary The RC4 “Bar Mitzvah” attack for SSL/TLS affects IBM WebSphere Application Server that is used by WebSphere Lombardi Edition WLE and IBM Business Process Manager. Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could...

Security Bulletin: File path traversal vulnerability in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) (CVE-2015-1884)

Summary IBM Business Proccess Manager and WebSphere Lombardi Edition are vulnerable to file path traversal. Due to insufficient input parameter validation files can be downloaded by authenticated attackers using specially crafted URLs. Vulnerability Details CVEID: CVE-2015-1884 DESCRIPTION: IBM...

Security Bulletin: Insufficient authorization in Service REST API and cross site scripting vulnerability in REST API affecting IBM Business Process Manager (CVE-2015-1905, CVE-2015-1906)

Summary IBM Business Process Manager REST API is vulnerable to cross site scripting due to insufficiently restricted parameter values for controlling content types. IFixes shipped with this advisory also close an additional vulnerability due to insufficient authorization checks on interacting wit...

Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is used by WebSphere Application Server underneath IBM Business Process Manager and WebSphere Lombardi Edition. These issues were disclosed as part of the IBM SDK Java™ Technology Edition updates in January 2015...