IBM Support

JR57134: YOU GET A CROSS-SITE REQUEST FORGERY ATTACK WARNING WHILE ACCESSING THE SCA BINDINGS PAGE IN THE WEBSPHERE ADMIN CONSOLE

Direct links to fixes

bpm.8570.cf2017.03.delta.repository
Downloading IBM Business Process Manager V8.5.7 Cumulative Fix 2017.03

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In IBM Business Process Manager (BPM) Advanced V8.5.7 CF
2016.06, CF 2016.09, and CF 2016.12, when you log in to the
WebSphere Admin Console, select an SCA module, and click an
imports or exports binding, you might see the following
cross-site security (XSS) warning:

The request did not contain a valid security token, and could
potentially be a cross-site request forgery attack.
If you initiated this request and wish to continue processing,
click Continue.
If you do not wish to process this request, please close your
browser window.

Local fix

  • Ignore the warning and click Continue to continue your
processing.

Problem summary

  • While initializing the SCA Module components page, the csrfid
request parameter might be lost, which causes the cross-site
request forgery attack warning when you view the imports or
exports bindings panel.

Problem conclusion

  • A fix will be included in IBM BPM V8.5.7 cumulative fix 2017.03
that adds the missing csrfid request parameter to avoid the
warning message.

To determine whether the cumulative fix is available and
download it if it is, complete the following steps on Fix
Central:

1.    On the Select product tab, select WebSphere as the product
group, IBM Business Process Manager with your edition from the
WebSphere options, All as the installed version, and All as the
platform, and then click Continue.
2.    In the Text field, enter "cumulative fix?, and click
Continue.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR57134
    • 

  • Reported component name
    BPM ADVANCED
    • 

  • Reported component ID
    5725C9400
    • 

  • Reported release
    857
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2016-12-08
    • 

  • Closed date
    2017-01-18
    • 

  • Last modified date
    2017-01-18
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM ADVANCED
    • 

  • Fixed component ID
    5725C9400
    • 



Applicable component levels


    

  • R857  PSY
       UP
    • 








      
          
                    

          

          [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
          

                    

        
        

        

      


      


        

            

            
Document Information


            

            


                        

            Modified date:
            

            18 January 2017
            

            
            
          

        


        

        


      


    


  





    

  



  
    
      

      
Page Feedback