JR50215: SECURITY APAR CVE-2014-4758 - NO ACCESS RESTRICTION ON SERVICE TYPES ON CALLSERVICE URL INVOCATION

Download Version 8.0.1 Fix Pack 3 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products

APAR status

• Closed as program error.

Error description

• Because there is no access restriction based on service type
  when invoking a service using the callService URL,
  services that were meant for internal use only are exposed.
  
  
  PRODUCTS AFFECTED:
  IBM Business Process Manager (BPM) Advanced
  IBM BPM Standard
  IBM BPM Express
  

Local fix

Problem summary

• A user might click links that call sensitive services through
  callService.do, because there currently is no mechanism to
  restrict such calls.
  

Problem conclusion

• A fix for all releases of IBM BPM and WLE enables administrators
   to restrict callable services by type. The fix is secure by
  default and only allows AJAX services to be invoked via the
  callService.do URL. If you have custom client applications
  relying on callService.do exposing service types other than Ajax
   Services, you need to   add configuration as described below.
  
  A configuration property is introduced to specify the whitelist
  of callable services. In 100Custom.xml, you can add the
  callservice-valid-services stanza to list one or more
  valid-service-entry elements:
  <server>
  <portal merge="mergeChildren">
  <callservice-valid-services>
  <valid-service-entry>Ajax Service</valid-service-entry>
  </callservice-valid-services>
  </portal>
  </server>
  
  Possible values for valid-service-entry are:
  * all
  * none
  * Regular Service
  * Rule Service
  * Ajax Service
  * Human Service
  * Integration Service
  * Installation Service
  * General System Service
  * SCA Service
  * Case Manager Integration Service
  * Undercover Agent Passthrough Service
  
  If either the special keyword "all" or "none" is encountered in
  the list, all other entries will be ignored.
  
  On Fix Central (http://www.ibm.com/support/fixcentral), search
  for JR50215:
  1. Select IBM Business Process Manager with your edition from
  the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.
  2. Select APAR or SPR, enter JR50215, and click Continue.
  
  When you download fix packages, ensure that you also download
  the readme file for each fix. Review each readme file for
  additional installation instructions and information about the
  fix.
  

Temporary fix

• Temporary Fix:
  

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM ADVANCED

• Fixed component ID

  5725C9400

Applicable component levels

• R751 PSY

     UP

• R801 PSY

     UP

• R850 PSY

     UP