Fixes are available
APAR status
Closed as program error.
Error description
Because there is no access restriction based on service type when invoking a service using the callService URL, services that were meant for internal use only are exposed. PRODUCTS AFFECTED: IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express
Local fix
Problem summary
A user might click links that call sensitive services through callService.do, because there currently is no mechanism to restrict such calls.
Problem conclusion
A fix for all releases of IBM BPM and WLE enables administrators to restrict callable services by type. The fix is secure by default and only allows AJAX services to be invoked via the callService.do URL. If you have custom client applications relying on callService.do exposing service types other than Ajax Services, you need to add configuration as described below. A configuration property is introduced to specify the whitelist of callable services. In 100Custom.xml, you can add the callservice-valid-services stanza to list one or more valid-service-entry elements: <server> <portal merge="mergeChildren"> <callservice-valid-services> <valid-service-entry>Ajax Service</valid-service-entry> </callservice-valid-services> </portal> </server> Possible values for valid-service-entry are: * all * none * Regular Service * Rule Service * Ajax Service * Human Service * Integration Service * Installation Service * General System Service * SCA Service * Case Manager Integration Service * Undercover Agent Passthrough Service If either the special keyword "all" or "none" is encountered in the list, all other entries will be ignored. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR50215: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR50215, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Temporary Fix:
Comments
APAR Information
APAR number
JR50215
Reported component name
BPM ADVANCED
Reported component ID
5725C9400
Reported release
801
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-05-12
Closed date
2014-09-02
Last modified date
2014-09-05
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM ADVANCED
Fixed component ID
5725C9400
Applicable component levels
R751 PSY
UP
R801 PSY
UP
R850 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
05 September 2014