#VU9339 Improper access control in IBM Business Process Manager


Published: 2017-11-15

Vulnerability identifier: #VU9339

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-1628

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Business Process Manager
Server applications / Other server solutions

Vendor: IBM Corporation

Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to an access control flaw in a REST API. A remote attacker can can cause the Event Manager to start or stop.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Install update from vendor's website (APAR JR58466).

Vulnerable software versions

IBM Business Process Manager: 8.6.0

External links
http://www-01.ibm.com/support/docview.wss?uid=swg22009496

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Denial of service in IBM Business Process Manager