Direct links to fixes
APAR status
Closed as program error.
Error description
IBM Business Process Manager (BPM) supports cross-site request forgery (CSRF) protection by using a configurable whitelist of domains for the HTTP REFERER header.
Local fix
Problem summary
No additional information is available. PRODUCTS AFFECTED IBM BPM Advanced IBM BPM Standard IBM BPM Express
Problem conclusion
A fix is available for IBM BPM V8.5.6.0 cumulative fix 2 and will be included in IBM BPM V8.5.7.0 CF2016.09 that introduces a feature for checking the Origin header and includes additional protection that uses a whitelist for acceptable Origin header values. Interim Fix JR56105 on top of BPM 8.5.6 CF02 is available on request from BPM Runtime Level 3 support. To enable this feature, configure the com.ibm.mashups.usersearch.blocked property as described in the readme file for your version of the product. When sending XML HTTP (Ajax) requests, browsers include a HTTP request header called "Origin" that contains the protocol, host, and port of the site that served the main content the browser is currently displaying. When configuring IBM BPM, the domains that contain user interfaces to cause a XML HTTP request to be sent to IBM BPM are known, so it is possible to add these domains to the whitelist as the set of expected client origins. All other requests can be blocked. The Origin header is more reliable than the REFERER header because it has fewer privacy concerns given that it does not contain path or even query parameters of the current origin. Therefore, it is less likely to be suppressed by browser plug-ins. You enable Origin header whitelisting by setting a deployment environment (DE) level custom property called ProcessServer.CsrfProtectionOriginWhitelist to a comma-separated list of acceptable host:port combinations. Example (assuming the deployment environment name is De1): AdminTask.setBPMProperty(['-de', 'De1', '-name', 'ProcessServer.CsrfProtectionOriginWhitelist', '-value', 'https://bpm1.internal.customer.org:9443, https://portal.internal.customer.org']) If REFERER header and Origin header whitelists are both configured, the REFERER whitelist is checked first. Both whitelists should be consistent because they serve the same purpose. Note: The REFERER whitelist is parsed and only host names are extracted, whereas the full configured string (including protocol, host, and port) is compared to the current Origin HTTP request header to allow access to IBM BPM resources. This finer-grained protection is possible because Origin does not contain a full URL, nor the path or query string parts of a URL. As with the REFERER whitelist, an empty or missing header is acceptable.
Temporary fix
Comments
APAR Information
APAR number
JR56105
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
856
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-06-20
Closed date
2016-10-13
Last modified date
2016-10-13
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
04 September 2023