CVE-2014-6176 — IBM Business Process Manager vulnerability

CWE-3103 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.4%

top 41.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

IBM Business Process Manager IBM Websphere Enterprise Service BUS IBM Websphere Process Server

Timeline

PublishedDec 16

Latest updateMay 17

Description

IBM WebSphere Process Server 7.0, WebSphere Enterprise Service Bus 7.0, and Business Process Manager Advanced 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5 disregard the SSL setting in the SCA module HTTP import binding and unconditionally select the SSLv3 protocol, which makes it easier for remote attackers to hijack sessions or obtain sensitive information by leveraging the use of a weak cipher.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages3 packages

▶NVDibm/websphere_process_server7.0

▶NVDibm/business_process_manager12 versions+11

▶NVDibm/websphere_enterprise_service_bus7.0

🔴Vulnerability Details

GHSA

GHSA-fp8r-g5fc-7gx9: IBM WebSphere Process Server 7↗2022-05-17

▶

CVEList

CVE-2014-6176: IBM WebSphere Process Server 7↗2014-12-16

▶