Direct links to fixes
APAR status
Closed as program error.
Error description
A class in Apache Commons FileUpload contains code that triggers code execution as part of deserialization. The Apache Commons FileUpload library exists in IBM Business Process Manager (BPM) and makes this class available on the class path. If any code in IBM BPM deserializes Java objects from an ObjectInputStream, this code is vulnerable to remote code execution. Deserialization can occur implicitly in various data handlers and even explicitly in your own code in your process applications. CVEID: CVE-2016-1000031 DESCRIPTION: Apache Commons FileUpload, as used in Novell NetIQ Sentinel and other products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117957 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Local fix
Problem summary
No additional information is available. PRODUCTS AFFECTED IBM BPM V8.6 IBM BPM Advanced IBM BPM Standard IBM BPM Express IBM BPM ESB
Problem conclusion
A fix is available for IBM BPM V7.5.1.2, V8.0.1.3, V8.5.0.2, V8.5.5.0, V8.5.6.0 cumulative fix (CF) 02, V8.5.7 CF2017.06, V8.6 and will be included in the next cumulative fix for IBM BPM V8.6.0.0 that upgrades Apache Commons FileUpload to remove the dangerous class from the class path.
Temporary fix
Comments
APAR Information
APAR number
JR58611
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
857
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-10-30
Closed date
2018-01-12
Last modified date
2018-01-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
12 January 2018