IBM Support

JR51391: SECURITY APAR CVE-2014-6139 - INSUFFICIENT AUTHORIZATION IN SEARCH API

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Using the ?Search? REST API, non-administrative users can search
    for task and process instances that they are not allowed to see
    by specifying a parameter that should only be available to
    administrative users.
    

Local fix

Problem summary

  • IBM Business Process Manager provides a REST API to search for
    task and process instances. Usually searches return filtered
    result lists, containing only results that the current user is
    authorized to see. For administrative use cases, a parameter
    called ?filterByCurrentUser? was introduced to also enable
    unfiltered searches (by setting it to ?false?).
    
    However, there is no authorization check in place to verify that
    the current user is an administrative user who is allowed to
    specify this parameter, so that the result may contain task and
    process instances he is not authorized to see - potentially
    containing sensitive information.
    

Problem conclusion

  • A fix is available for IBM BPM that adds an authorization check
    for the REST API which verifies that only administrative users
    are allowed to perform unfiltered searches.  The parameter is
    ignored and defaults to filtered searches for all other users.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR51391:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR51391, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR51391

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    801

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-09-30

  • Closed date

    2014-12-11

  • Last modified date

    2014-12-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0.1","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
11 December 2014