A Secure Sockets Layer (SSL) connection can be established without host name verfication, which an make the connection vulnerable to a man-in-the-middle attack.
While obtaining an SSL connection, the IBM Business Process Management (BPM) system does not validate the host name of the target connection against the SubjectDN of the certificate. This situation can make the connection vulnerable to a man-in-the-middle attack.
CVE ID: 2012-5785
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79830 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
To eliminate a man-in-the-middle attack, apply Interim Fixes JR45329, JR45216, and JR45071, or apply a Fix Pack that contains these APARS. These changes verify the host name against the certificate SubjectDN value. Using the following links, download the interim fixes from IBM Fix Central for IBM Integration Designer, Business Space (IBM Business Monitor) and your applicable IBM Business Process Manager product: