IBM Support

JR50215: SECURITY APAR CVE-2014-4758 - NO ACCESS RESTRICTION ON SERVICE TYPES ON CALLSERVICE URL INVOCATION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Because there is no access restriction based on service type
    when invoking a service using the callService URL,
    services that were meant for internal use only are exposed.
    
    
    PRODUCTS AFFECTED:
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • A user might click links that call sensitive services through
    callService.do, because there currently is no mechanism to
    restrict such calls.
    

Problem conclusion

  • A fix for all releases of IBM BPM and WLE enables administrators
     to restrict callable services by type. The fix is secure by
    default and only allows AJAX services to be invoked via the
    callService.do URL. If you have custom client applications
    relying on callService.do exposing service types other than Ajax
     Services, you need to   add configuration as described below.
    
    A configuration property is introduced to specify the whitelist
    of callable services. In 100Custom.xml, you can add the
    callservice-valid-services stanza to list one or more
    valid-service-entry elements:
    <server>
    <portal merge="mergeChildren">
    <callservice-valid-services>
    <valid-service-entry>Ajax Service</valid-service-entry>
    </callservice-valid-services>
    </portal>
    </server>
    
    Possible values for valid-service-entry are:
    * all
    * none
    * Regular Service
    * Rule Service
    * Ajax Service
    * Human Service
    * Integration Service
    * Installation Service
    * General System Service
    * SCA Service
    * Case Manager Integration Service
    * Undercover Agent Passthrough Service
    
    If either the special keyword "all" or "none" is encountered in
    the list, all other entries will be ignored.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR50215:
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR50215, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Temporary Fix:
    

Comments

APAR Information

  • APAR number

    JR50215

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    801

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-12

  • Closed date

    2014-09-02

  • Last modified date

    2014-09-05

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R751 PSY

       UP

  • R801 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
05 September 2014