IBM Support

JR57134: YOU GET A CROSS-SITE REQUEST FORGERY ATTACK WARNING WHILE ACCESSING THE SCA BINDINGS PAGE IN THE WEBSPHERE ADMIN CONSOLE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • In IBM Business Process Manager (BPM) Advanced V8.5.7 CF
    2016.06, CF 2016.09, and CF 2016.12, when you log in to the
    WebSphere Admin Console, select an SCA module, and click an
    imports or exports binding, you might see the following
    cross-site security (XSS) warning:
    
    The request did not contain a valid security token, and could
    potentially be a cross-site request forgery attack.
    If you initiated this request and wish to continue processing,
    click Continue.
    If you do not wish to process this request, please close your
    browser window.
    

Local fix

  • Ignore the warning and click Continue to continue your
    processing.
    

Problem summary

  • While initializing the SCA Module components page, the csrfid
    request parameter might be lost, which causes the cross-site
    request forgery attack warning when you view the imports or
    exports bindings panel.
    

Problem conclusion

  • A fix will be included in IBM BPM V8.5.7 cumulative fix 2017.03
    that adds the missing csrfid request parameter to avoid the
    warning message.
    
    To determine whether the cumulative fix is available and
    download it if it is, complete the following steps on Fix
    Central:
    
    1.    On the Select product tab, select WebSphere as the product
    group, IBM Business Process Manager with your edition from the
    WebSphere options, All as the installed version, and All as the
    platform, and then click Continue.
    2.    In the Text field, enter "cumulative fix?, and click
    Continue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR57134

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    857

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-12-08

  • Closed date

    2017-01-18

  • Last modified date

    2017-01-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R857 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"857","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 January 2017