IBM Support

JR50760: SECURITY APAR CVE-2014-3076 - UNAUTHORIZED DISCLOSURE OF SYSTEM INFORMATION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • System information is disclosed to unauthorized users on a
    diagnostic page.
    

Local fix

Problem summary

  • IBM Business Process Manager V8.5.0.0 and later versions embed a
    document management component that provides a diagnostic page
    with detailed system information. This page is available to
    anonymous users by default.
    

Problem conclusion

  • A fix is available for IBM BPM 8.5.0.1 and 8.5.5.0 that adds a
    security constraint to the application that contains this page
    so that users must be mapped to a security role for access to
    this page. No manual application modification is required.
    Because this diagnostic page is not required in IBM BPM, a
    security role is reused that also protects other unused
    resources and, therefore, has no user or group mappings by
    default.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR50760:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR50760, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR50760

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-07-11

  • Closed date

    2014-07-31

  • Last modified date

    2014-07-31

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R850 PSY

       UP

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
31 July 2014