Fixes are available
APAR status
Closed as program error.
Error description
Currently when a Tivoli Portal user has "Take Action" authority, the dialog used for passing arguments with an action, command allows for inclusion of additional characters in the text field. RECREATE INSTRUCTIONS: Select an action command that accepts parameters, a dialog will appear which is an editable freeform field.
Local fix
Remove the "Take Action" authority from the Tivoli Portal user account.
Problem summary
Currently when a Tivoli Portal user has "Take Action" authority, the dialog used for passing arguments with an action command: 'Edit Argument Values' pop-up, allows for inclusion of additional characters in the text field. By this APAR fix, the administrator is able to list the characters that are not allowed in this field. In order for this APAR to be properly implemented in your environment, a new environment variable has been added. See the "Install Actions" section of the APAR conclusion for more details.
Problem conclusion
Code was changed to exclude characters in take action text field by 'KFW_TAKE_ACTION_EXCLUDE_CHARACTERS' variable. When a Tivoli Portal user has "view" authority to run take action commands, if a command is defined to prompt the user for additional input then the Edit Argument Values window is displayed. Currently the user can provide specially crafted input which can result in additional command(s) being executed. This APAR will exclude specific characters from being used as input to the dialog. Install Actions: To fully enable this APAR, the following post installation steps should be completed: 1. A new environment variable KFW_TAKE_ACTION_EXCLUDE_CHARACTERS will be needed in the kfwenv file (Windows) or cq.ini file (Linux/UNIX). This variable should list the set of characters that are not allowed to be entered into the Edit Argument Values when a user has "view" authority. For example, to restrict the values ";" or "&" or "|", add the environment variable using the format below: On Windows: Open kfwenv in <CANDLEHOME>\CNPS, define KFW_TAKE_ACTION_EXCLUDE_CHARACTERS. KFW_TAKE_ACTION_EXCLUDE_CHARACTERS=;&| On Linux/UNIX: Open cq.ini in <CANDLEHOME>/config, define KFW_TAKE_ACTION_EXCLUDE_CHARACTERS. KFW_TAKE_ACTION_EXCLUDE_CHARACTERS=;&| Save the file (the change will not take effect until the Tivoli Enterprise Portal is restarted in step #2 below). The list of characters can be customized by the administrator if additional characters want to be added to the exclude list. Once this value is set and the portal server recycled, a user with view authority to run a take action will no longer be able to enter those characters into the Edit Arguments dialog box. 2. After adding the environment variable KFW_TAKE_ACTION_EXCLUDE_CHARACTERS above, the portal server needs to be restarted. 3. The Java plugin jar cache needs to be cleared on all desktops that run the Tivoli Enterprise Portal client. - From the Windows control panel, double-click the Java icon that represents the Java control panel. - Select the "General" tab, press the "settings" button, then press the "Delete files" button to clear currently cached applications. - The next time the Tivoli Enterprise Portal client is started the newly patched jar files in this fix will be downloaded. 4. Restart the Tivoli Enterprise Portal client. The fix for this APAR is contained in the following maintenance packages: | fix pack | 6.3.0-TIV-ITM-FP0007 | provisional fix | 6.3.0-TIV-ITM-FP0005-IV77742 | provisional fix | 6.2.3-TIV-ITM-FP0005-IV77742 | provisional fix | 6.2.2-TIV-ITM-FP0009-IV77742
Temporary fix
Comments
APAR Information
APAR number
IV77742
Reported component name
TEP
Reported component ID
5724C04EP
Reported release
630
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-10-07
Closed date
2017-01-06
Last modified date
2017-01-06
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TEP
Fixed component ID
5724C04EP
Applicable component levels
R630 PSY
UP
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]
Document Information
Modified date:
30 December 2022