IBM Support

JR49505: SECURITY APAR CVE-2014-0908 - MISSING AUTHORIZATION CONCEPT FOR USER ATTRIBUTES

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is no way to manage authorization for read or write
    access to user attribute values.
    
    
    PROBLEM DETAILED DESCRIPTION:
    
    The User Attribute feature in IBM BPM has no authorization
    concept. As a consequence, each user can read and update his or
    her own and other user's user attribute values by using REST
    APIs. However, there are security-sensitive use cases for user
    attribute values such as email notifications or task assignments
    that use expressions. You might also choose to store
    confidential information about users in user-attribute values.
    The lack of authorization for this feature can create a security
    exposure.
    

Local fix

  • n/a
    

Problem summary

  • There is no way to manage authorization for read or write access
    to user attribute values.
    
    PROBLEM DETAILED DESCRIPTION:
    
    The User Attribute feature in IBM BPM has no authorization
    concept. As a consequence, each user can read and update his or
    her own and other user's user attribute values by using REST
    APIs. However, there are security-sensitive use cases for user
    attribute values such as email notifications or task assignments
    that use expressions. You might also choose to store
    confidential information about users in user-attribute values.
    The lack of authorization for this feature can create a security
    exposure.
    

Problem conclusion

  • A fix is available that ensures that the user attribute feature
    
    is secure by default and adds authorization for accessing user
    attributes by using REST APIs.
    
    With the fix applied, a configurable whitelist of user
    attributes is introduced to control which user attributes are
    readable for all users. The configuration property name for this
    whitelist is public-attribute.
    
    The default whitelist is introduced in 00Static.xml and can be
    extended or overwritten in 100Custom.xml:
    <server>
      ...
      <user-attributes>
        ...
     <rest-authorization>
          <public-attribute>Title</public-attribute>
          <public-attribute>Task Email Address</public-attribute>
          <public-attribute>Image</public-attribute>
          <public-attribute>Primary Role</public-attribute>
          <public-attribute>Phone Number</public-attribute>
       ...
    For information about how to change configuration properties in
    100Custom.xml, see the appropriate documentation:
    
    - V7.5.x "Changing IBM&#169; Process Server properties in
     100Custom.xml"
     (http://pic.dhe.ibm.com/infocenter/dmndhelp/v7r5m1/topic/
     com.ibm.wbpm.admin.doc/topics/changing_server_props.html )
    
    - V8.0.x "Changing IBM&#169; Process Server properties in
     100Custom.xml"
     (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0m1/topic/
     com.ibm.wbpm.admin.doc/topics/changing_server_props.html )
    
    - V8.5.x "Changing IBM&#169; Process Server properties in
     100Custom.xml"
     (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/topic/
     com.ibm.wbpm.admin.doc/topics/changing_server_props.html )
    
    With the fix applied, another configurable whitelist of user
    attributes is introduced to control which user attributes can be
    updated by each user for his or her own user profile. The
    configuration property name for this whitelist is
    self-manageable-attribute. Because there are cases in IBM
    Process Portal when users would set their own email address,
    phone number, job title and other settings by using REST APIs,
    all attributes that are shipped with the product are listed as
    self-manageable. The exact set of default self-manageable
    attributes depends on your product version. The following sample
    lists all self-manageable attributes in IBM BPM V8.5.
    
    <server>
      ...
      <user-attributes>
        ...
        <rest-authorization>
          ...
           <self-manageable-attribute>Title
            </self-manageable-attribute>
           <self-manageable-attribute>Portal Notification Post
            Mention</self-manageable-attribute>
           <self-manageable-attribute>Task
            Notification</self-manageable-attribute>
           <self-manageable-attribute>Task Email
            Address</self-manageable-attribute>
           <self-manageable-attribute>Calendar
            Type</self-manageable-attribute>
           <self-manageable-attribute>Show Unfollow
            Messages</self-manageable-attribute>
           <self-manageable-attribute>Send Connections Notification
            On New Task</self-manageable-attribute>
           <self-manageable-attribute>Image
            </self-manageable-attribute>
           <self-manageable-attribute>Primary
            Role</self-manageable-attribute>
           <self-manageable-attribute>Portal Notification New Task
            To My Group</self-manageable-attribute>
           <self-manageable-attribute>Base Text
            Direction</self-manageable-attribute>
           <self-manageable-attribute>Portal Mention
            Timestamp</self-manageable-attribute>
           <self-manageable-attribute>Phone
            Number</self-manageable-attribute>
           <self-manageable-attribute>Portal Default
            Page</self-manageable-attribute>
           <self-manageable-attribute>Locale
            </self-manageable-attribute>
           <self-manageable-attribute>Alert On Assign And
            Run</self-manageable-attribute>
           <self-manageable-attribute>Portal Dashboard Display
            Order</self-manageable-attribute>
           <self-manageable-attribute>Portal Notification New Task
            To Me</self-manageable-attribute>
         </rest-authorization>
      </user-attributes>
      ..
    
    If your process applications contain custom user attribute
    definitions, explicitly list these custom user attributes in the
    previous whitelists in case you want these attributes to be
    either public or self-manageable. For example, the following
    stanza in 100Custom.xml adds CustomAttribute to the list of
    self-manageable attributes.
    
    <server>
     <user-attributes merge="mergeChildren">
      <rest-authorization merge="mergeChildren">
       <self-manageable-attribute merge="append">
        CustomAttribute</self-manageable-attribute>
      </rest-authorization>
     </user-attributes>
    </server>
    
    Also, an action policy has been added that gives administrators
    the ability to grant full read and write access to all user
    attributes of all users. The name of the action policy is
    ACTION_MANAGE_ANY_USERATTRIBUTE.
    
    For information about how to configure action policies, see the
    appropriate documentation:
    - V7.5.x: "Restricting access to Process Portal functions"
     (http://pic.dhe.ibm.com/infocenter/dmndhelp/v7r5m1/topic/
      com.ibm.wbpm.admin.doc/topics/
      restricting_access_to_portal_functions.html )
    - V8.0.x:  "Restricting access to actions on BPDs and tasks"
     (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r0m1/topic/
      com.ibm.wbpm.admin.doc/topics/
      restricting_access_to_portal_functions.html)
    - V8.5.x: "Configuration properties for Process Portal action
     policies"
     (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/
      index.jsp?topic=%2Fcom.ibm.wbpm.admin.doc%2Ftopics%2
      Frestricting_access_to_portal_functions.html).
    
    The default assignment is tw_admins to ensure that members of
    the default administrator group can manage user attributes by
    using a REST API.
    
    Starting with IBM BPMV8.5, it is possible to specify a different
    group name for IBM BPM administrators. If you configured a
    different group to be the bpmAdminGroup, you might want to
    change this default assignment to the group name configured as
    bpmAdminGroup. For information about setting a bpmAdminGroup,
    see "Security configuration properties"
    (http://pic.dhe.ibm.com/infocenter/dmndhelp/v8r5m0/topic/com.ibm
    .wbpm.admin.doc/topics/csec_config_properties.html).
    
    To revert to the previous open behavior, you can either remove
    all role assignments from action policy
    ACTION_MANAGE_ANY_USERATTRIBUTE or remove the two whitelist
    configuration properties by overwriting
    server/user-attributes/rest-authorization with no value in
    100Custom.xml.
    
    FIX AVAILABILITY:
    iFix for 7.5.1.2 is/will be available on Fix Central; search for
    APAR JR49505 at http://www.ibm.com/support/fixcentral/
    iFix for 8.0.1.0 is/will be available on Fix Central; search for
    APAR JR49505 at http://www.ibm.com/support/fixcentral/
    iFix for 8.0.1.2 is/will be available on Fix Central; search for
    APAR JR49505 at http://www.ibm.com/support/fixcentral/
    iFix for 8.5.0.1 is/will be available on Fix Central; search for
    APAR JR49505 at http://www.ibm.com/support/fixcentral/
    Fix is also targetted for inclusion in next fixpack for
    BPM V7.5.1, BPM V8.0.1
    
    When obtaining any of the above fixes, be sure to download the
    accompanying readme, for itself, and any prerequisite fixes, and
    review them thoroughly.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR49505

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    751

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-03-04

  • Closed date

    2014-05-08

  • Last modified date

    2014-05-13

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R751 PSY

       UP

  • R801 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
13 May 2014