IBM Support

IV77742: ALLOW CHARACTER EXCLUDE LIST FOR TAKE ACTION

Fixes are available

IBM Tivoli Monitoring 6.3.0 Fix Pack 7 (6.3.0-TIV-ITM-FP0007)
IBM Tivoli Monitoring Remote Code Execution (IV77742)

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Currently when a Tivoli Portal user has "Take Action"
authority, the dialog used for passing arguments with an
action,  command allows for inclusion of additional characters
in the text field.

RECREATE INSTRUCTIONS:
Select an action command that accepts parameters, a dialog will
appear which is an editable freeform field.

Local fix

  • Remove the "Take Action" authority from the Tivoli Portal user
account.

Problem summary

  • Currently when a Tivoli Portal user has "Take Action" authority,
 the dialog used for passing arguments with an action command:
'Edit Argument Values' pop-up, allows for inclusion of
additional characters in the text field. By this APAR fix, the
administrator is able to list the characters that are not
allowed in this field.

In order for this APAR to be properly implemented in your
environment, a new environment variable has been added.  See the
"Install Actions" section of the APAR conclusion for more
details.

Problem conclusion

  • Code was changed to exclude characters in take action text field
 by 'KFW_TAKE_ACTION_EXCLUDE_CHARACTERS' variable.

When a Tivoli Portal user has "view" authority to run take
action commands, if a command is defined to prompt the user for
additional input then the Edit Argument Values window is
displayed. Currently the user can provide specially crafted
input which can result in additional command(s) being executed.
This APAR will exclude specific characters from being used as
input to the dialog.

Install Actions:
To fully enable this APAR, the following post installation steps
should be completed:

 1. A new environment variable
KFW_TAKE_ACTION_EXCLUDE_CHARACTERS will be needed in the kfwenv
file (Windows) or cq.ini file (Linux/UNIX). This variable should
list the set of characters that are not allowed to be entered
into the Edit Argument Values when a user has "view" authority.
For example, to restrict the values ";" or "&" or "|", add the
environment variable using the format below:

    On Windows: Open kfwenv in <CANDLEHOME>\CNPS, define
    KFW_TAKE_ACTION_EXCLUDE_CHARACTERS.
         KFW_TAKE_ACTION_EXCLUDE_CHARACTERS=;&|

    On Linux/UNIX:  Open cq.ini in <CANDLEHOME>/config, define
    KFW_TAKE_ACTION_EXCLUDE_CHARACTERS.
         KFW_TAKE_ACTION_EXCLUDE_CHARACTERS=;&|

Save the file (the change will not take effect until the Tivoli
Enterprise Portal is restarted in step #2 below).

The list of characters can be customized by the administrator if
additional characters want to be added to the exclude list. Once
this value is set and the portal server recycled, a user with
view authority to run a take action will no longer be able to
enter those characters into the Edit Arguments dialog box.

 2. After adding the environment variable
KFW_TAKE_ACTION_EXCLUDE_CHARACTERS above, the portal server
needs to be restarted.

 3. The Java plugin jar cache needs to be cleared on all
desktops that run the Tivoli Enterprise Portal client.
    - From the Windows control panel, double-click the Java icon
that represents the Java control panel.
    - Select the "General" tab, press the "settings" button,
then press the "Delete files" button to clear currently cached
applications.
    - The next time the Tivoli Enterprise Portal client is
started the newly patched jar files in this fix will be
downloaded.

 4. Restart the Tivoli Enterprise Portal client.


The fix for this APAR is contained in the following maintenance
packages:

   | fix pack | 6.3.0-TIV-ITM-FP0007
   | provisional fix | 6.3.0-TIV-ITM-FP0005-IV77742
   | provisional fix | 6.2.3-TIV-ITM-FP0005-IV77742
   | provisional fix | 6.2.2-TIV-ITM-FP0009-IV77742

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV77742
    • 

  • Reported component name
    TEP
    • 

  • Reported component ID
    5724C04EP
    • 

  • Reported release
    630
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-10-07
    • 

  • Closed date
    2017-01-06
    • 

  • Last modified date
    2017-01-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TEP
    • 

  • Fixed component ID
    5724C04EP
    • 



Applicable component levels


    

  • R630  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            30 December 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback