Change log
IBM® Safer Payments 6.3.1.00 includes critical, major, and minor bug fixes and APARs.
Critical changes
- The attach button in case investigation was always deactivated. The drop and drag functionality was not working.
Major changes
- The following elements allowed a user without the privilege to view unmasked data to create conditions to enumerate encrypted data: simulation data selection and target conditions, rule generation training and verification data selection and rule generation predefined conditions, random forest training and verification data selection, reporting query performance indicator, defined risk list entries, and defined risk list upload alert lists.
- In certain situations, cases with masterdata on category attributes might not be displayed in case investigation (APAR PO09780).
- A backtrace or crash might occur after a golive if the data from the champion to retire was accessed from a query, case investigation, and so on (APAR PO09619).
- Improved restoration times on the Receiving side by optimizing the parsing functionality.
- The application crashed when trying to save a model that is generated by the random forest generator after it was stopped manually (APAR PO09721).
- Empty double quotes appeared in the response object if more than 10 rules were mapped from a client response. The fix introduces a sorting function to handle those scenarios (APAR PO09690).
- In rare situations, a crash might occur when conducting multiple save operations on a case. It can happen when a CPP or memo is saved multiple times for the same case during a short time frame, for example, by double-clicking the save button (APAR PO09701).
- An option was added to load encrypted file jobs that use AES-CTR as cipher. The online help was updated to use this algorithm.
- In rare situations, the FLI connection hangs (APAR PO09686).
- The remote golive factor has been removed from the re-create index job form (APAR PO09682).
- Saving attributes with computation impact did not invalidate an active simulation, causing possible access to invalid data. Additionally when saving revision elements a warning popup will be shown when there is an active simulation (APAR PO09525).
- Maximum latency, FLI rate, and latency violations SAIs did not work correctly because the option for instance selection was missing from the user interface (APAR PO09751).
- Computation results were inconsistent between instances when using external models with mergings recomputation (APAR PO09743).
- In rare cases where a deadlock prevented a simulation from being stopped, it would prevent the API being disabled, which might result in two instances having an API enabled. This change prioritizes deactivation to prevent that scenario (APAR PO09481).
- Running a curtailing masterdata job might have caused a deadlock when index entries were update at the same time in parallel (APAR PO09664).
- The login request and other PADSS sensitive API requests were not rejected by the server when
sent as
GET
instead ofPOST
request. The requests that now enforce POST are:Login, ChangeAuthAddress, InsertPin, ChangePassword, CreateDefinedRiskListImportSettings, GetCaseAction, IsPasswordValid, PathExists, Save, SendCaseActionFromPreview, SetMasterdata, SetQuickSearchCasesTablePreference, SetUserExportPassword
. - Random forest generation within IBM Safer Payments ignored the conditions that are configured during data selection. This caused inconsistency in the number of records being processed during a simulation and random forest generation (APAR PO09646).
- In attribute settings, the table had incorrect data types.
- Compliance lists did not hit a record when the list used the metaphone setting and a search was done for more than one name (APAR PO09643).
- The missed cases report included cases whose generation time was within the selected time range, although the reference parameter is set to case closed time.
- During re-create index job the MCI, MQI, and KQI interfaces were not closed when bypass was activated or when close during golive option was activated. This might have caused redundant deferred writing.
- In rare situations, a crash occurred if an analysis was deleted while being accessed by another part of the code. This change introduces protection to prevent a crash from occurring in that scenario (APAR PO09724).
- The table on the report page can sometimes show an extra column of data, misaligning the regular columns with their headers, and causing some columns not to be displayed.
- Generating a reporting query by a job resulted in a report that did not contain any headers for
the columns. Now, the correct headers are included. In addition, CSV files that are exported from
reporting queries and group by queries had the header for the grouping attribute as
Grouping attribute value
, this also has been changed to reflect the actual name of the attribute. For both reporting queries, and group by query reports when they are used for rule performance, the header of the first column was changed from rule performance to rule. - The icon and text of the simulation progress component did not indicate that the simulation had started and was undergoing initialization. Now, a distinct icon and text line makes that transition is more apparent (APAR PO09601).
- CSV exports generated by IBM Safer Payments might trigger remote code execution when opened with an external stylesheet application that was vulnerable for remote code execution.
- To facilitate issue investigation, added a release string to the backtrace file (backtraces_starting_at_[InstanceID]_[YYYY-MM-DD].iris).
-
The options to enable/disable Resolve uncached reporting attributes and Include DDC to resolve uncached reporting attributes were not available on the user interface. Added them to Administration > Configuration > Case Investigation. The default is false for new configurations.
In addition, the cases table no longer show values for reporting attributes that are not selected in the case class of the respective case, as this might cause negative performance impact (APAR PO09399).
- The default timestamp for notices was previously set to a date far in the past. Now it is set to the current date and time (APAR PO09675).
- Users with mask level must not see values can still see constant values in clear text in the expression fields of conditions that use encrypted attributes.
- Salts for export jobs have been generated with a weak random number generator on client side, when not modified by user. Additionally, when not refreshing the browser, newly created export jobs got the same salt value.
- The latency report shows redundant computation element
unknown
and prints0
instead ofExternal Model
. - On encrypted instances, a popup error might have appeared when opening a case creation page.
-
Multiple buffers overflows have been fixed:
- Configuring the MCI incoming buffer smaller than an incoming message causes the message to be written into invalid memory regions.
- Configuring the MCI response buffer to be smaller than 80 leads to the application writing parts of the response into invalid memory regions.
- Configuring the FLI buffer to be less than 80 Bytes lead to a buffer overflow whenever a configuration update or transaction message is synchronized.
- Triggering a case action from the Potential first parties section of a collusion case causes a null terminator to be written into invalid memory when the case action message placeholder
[Firstparty]
is used and the value for the first party has the maximum length of the first party attribute.- Configuring the IBM MQ interface to use more than 256 characters for most fields causes a buffer overflow inside the IBM MQ library.
- The value for MQ Channel is not 0 terminated, possibly leading to security problems. The maximum length for the MQ Channel name is now 19 characters.
Buffer overflows in general can have severe security impact although it is hard to judge how exploitable the previously mentioned overflows really are. Buffer overflows can also cause the application to crash in rare cases.
- An instance is now automatically invalidated after a crash occurs. This was changed because a
crash usually causes broken data and data loss. Added a button in cluster user interface settings to
force an instance to startup. Added an optional command-line argument
after_crash
to enforce different startup behaviors. - If a user swiped over a component with a tooltip on a read-only page, the tooltip message box remained open after the user moved the cursor away. The tooltips now disappear as expected (APAR PO09413).
Minor changes
- When restoring one instance from another, the checksum calculations for each file are slower than necessary as they are only performed by single thread.
- Updated the online help as follows: removed the manual restore steps, added further information about simulation load balancing and server time zone setting, and replaced the word blacklisting with blocklisting (APAR PO09742).
- Updated the online help: improved the description of Model Factory’s Relax All Up Threshold.
- Number of selected items is not shown in query result table (APAR PO09738).
- The UID assignment code for some elements was slightly refactored to remove the possibility that some elements might claim more UIDs than necessary (APAR PO09025).
- Code around the usage of conditions, internal model, random forest and lists computation was streamlined without a change to functionality.
- Sandbox records and modeling workflows might be deleted without the required privileges. Also, it didn’t require the proper privilege to create modeling workflows.
- Users would occasionally be presented with an incomprehensible error message when attempting to encrypt an attribute. This would occur when a rule conclusion existed that would overwrite or change the attribute in some way. The error message now provides easily readable information about which rule conclusion is blocking the change to encryption status.