Security Bulletin
Summary
The User Attribute feature in IBM Business Process Manager does not have an authorization concept.
Vulnerability Details
As a consequence, each user can read and update their own attribute values and the attribute values for another user by using REST APIs. However, there are security-sensitive use cases for user attribute values, such as email notifications or task assignments that use expressions. You might also choose to store confidential information about users in user attribute values. The lack of authorization for this feature can create a security exposure.
CVEID: CVE-2014-0908
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:N)
Affected Products and Versions
- IBM Business Process Manager Standard V7.5.x, 8.0.x, 8.5.x
- IBM Business Process Manager Express V7.5.x, 8.0.x, 8.5.x
- IBM Business Process Manager Advanced V7.5.x, 8.0.x, 8.5.x
Remediation/Fixes
Install IBM Business Process Manager interim fix JR49505 as appropriate for your current IBM Business Process Manager product version. Interim fixes are available for the following products:
Workarounds and Mitigations
The following workarounds are available depending on your usage of the IBM Business Process Manager product and its REST APIs:
- Do not use user attribute values for security-sensitive use cases.
- Block write access to the REST APIs User resource (PUT and POST HTTP methods) in a firewall.
- Do not expose the User resource REST API on your web server.
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Product Synonym
BPM
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21669330