Security Bulletin
Summary
IBM Business Process Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise.
Vulnerability Details
Review the following security bulletins for IBM Business Process Manager for vulnerability details and information about fixes.
- Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager Process Portal (CVE-2015-8524)
- Security Bulletin: IBM Business Process Manager authorization checks for process and task deletion are insufficient (CVE-2015-7463)
- Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-7417)
- Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)
- Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)
- Security Bulletin: Vulnerability in Apache Commons affects IBM Business Process Manager (CVE-2015-7450)
- Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)
- Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager dashboards (CVE-2015-4955)
- Security Bulletin: IBM Business Process Manager (BPM) document store is susceptible to XXE (XML External Entity) attacks. (CVE-2013-5452)
- Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1932, CVE-2015-4938, CVE-2015-1946)
- Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)
- Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (Java CPU July 2015 - CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)
- Security Bulletin: Multiple security vulnerabilities in ElasticSearch might affect Process Federation Server (PFS) in IBM Business Process Manager (BPM) - CVE-2015-5531, CVE-2015-5377
- Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) error handling (CVE-2015-0193)
- Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206)
- Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1885, CVE-2015-1946, CVE-2015-1927)
- Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Process Manager (BPM), WebSphere Process Server (WPS), and WebSphere Lombardi Edition (WLE): CVE-2015-1920
- Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)
- Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-4000)
- Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-2808)
- Security Bulletin: Multiple vulnerabilities in IBM SDK Java™ Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-0138 CVE-2014-6593 CVE-2015-0400 CVE-2015-0410)
- Security Bulletin: Multiple vulnerabilities in IBM SDK for Java Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2014-6512, CVE-2014-6457, CVE-2014-6558, CVE-2014-3566)
- Security Bulletin: Vulnerability in SSLv3 affects IBM Business Process Manager (CVE-2014-3566)
- Security Bulletin: TLS padding vulnerability affects IBM HTTP Server shipped with IBM Business Process Manager family products (CVE-2014-8730)
- Security Bulletin: Cross-Site Scripting vulnerabilities in Dojo affect IBM Business Process Manager (BPM), WebSphere Lombardi Edition (WLE), and WebSphere Process Server (WPS) - CVE-2014-8917
Affected Products and Versions
Principal Product and Version | Affected Supporting Product and Version |
IBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2 IBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2 | IBM Business Process Manager Standard 8.5.6 |
IBM Cloud Orchestrator 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3
IBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3 | IBM Business Process Manager Standard 8.5.0.1 |
IBM SmartCloud Orchestrator 2.3 and 2.3.0.1
IBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1 | IBM Business Process Manager Standard 8.5 |
Get Notified about Future Security Bulletins
References
Change History
* 20 May 2016: Last update new bulletin
* 20 May 2016: Added bulletin as for Java CPU April 2016
* 30 April 2015: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Update October 2016 Added CVE Ids: CVE-2016-5901, CVE-2016-3056, CVE-2014-9748, CVE-2016-1669,
CVE-2016-1181, CVE-2016-1182, CVE-2015-0899
CVE-2016-0359, CVE-2016-0377, CVE-2016-0385, CVE-2016-1181, CVE-2016-1182, CVE-2016-2960, CVE-2016-3485, CVE-2016-3092,CVE-2016-5986, CVE-2016-5983
Update July Added CVE ID: CVE-2015-0254
Update May Added CVE ID: CVE-2016-3426, CVE-2016-3427
CVE-2016-0306,
CVE-2016-0227, CVE-2015-8524, CVE-2015-7463,
CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448,
CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006, CVE-2015-4955, CVE-2013-5452,
CVE-2015-2808, CVE-2015-0138 CVE-2014-6593 CVE-2015-0400 CVE-2015-0410, CVE-2014-6512, CVE-2014-6457, CVE-2014-6558, CVE-2014-3566, CVE-2014-8730, CVE-2015-0193, CVE-2015-1885, CVE-2015-1946, CVE-2015-1927, CVE-2015-1920, CVE-2015-0488, CVE-2015-0478, CVE-2015-1916, CVE-2015-0204, CVE-2015-0138, CVE-2015-2808 CVE-2015-4000, CVE-2015-5531, CVE-2015-5377, CVE-2015-1904, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-0193, CVE-2015-1946, CVE-2015-7417, CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872, CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196,
(BPM-configuration Editor)
CVE-2014-3569; CVE-2014-3570; CVE-2014-3571; CVE-2014-3572; CVE-2014-8275; CVE-2015-0204; CVE-2015-0205; CVE-2015-0206
(BPM-specific)
CVEs: CVE-2016-0227, CVE-2015-8524, CVE-2015-7463, CVE-2016-0483,
Added CVEID: CVE-2015-7407, CVE-2015-7400, CVE-2015-7454
NOTE: I have cleaned up Change history , as I think too many updates the text has become unsuitable/unreadable for the web.
I have kept the last update for new bulletins.
Change history
08 February 2016: Added 3 new bulletins
* 11 December 2015: Added links to CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734 and CVE-2015-5006
* 27 October 2015: Added links to CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205 and CVE-2015-0206
* 13 October 2015: Added link to Dojo bulletin
* 05 October 2015: Add link to new bulletins
* 18 September 2015: Added link to WebSphere Application Server 8.5.5.6 Security Bulletin in Related information
* 19 August 2015: Added links about IBM SDK Java™ July 2015 CPU, and Missing Authorization on top of vulnerability details
* 14 August 2015: Added links about ElasticSearch
* 29 July 2015: Added links about IBM SDK Java™ April 2015 CPU and Cross Site Scripting
* 13 July 2015: Added link about Diffie-Hellman ciphers on top of vulnerability section
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21882542