APAR status
Closed as program error.
Error description
The Rational Build Forge web application was found to use client side controls (JavaScript) to prevent the user from accessing certain application functionality under the Security sub-menu. It is possible to bypass client side controls by removing the disable attribute. Testing identified that there was no server side controls applied to the Export Key File function. A low level user can export this file. A low privileged non-admin user with access to the web application can modify the client side controls. This vulnerability may result in the disclosure of sensitive in-formation and potentially authorisation bypass. Testing performed allowed a low privileged user to export the key file, other similar vulnerabilities may exist within the application.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: * **************************************************************** The command implementation lacked the appropriate security check.
Problem conclusion
The appropriate check for the EditSecurity permission is now in place.
Temporary fix
Comments
APAR Information
APAR number
PM38058
Reported component name
BUILD FORGE EE
Reported component ID
5724S2701
Reported release
712
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-04-29
Closed date
2011-08-31
Last modified date
2011-08-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUILD FORGE EE
Fixed component ID
5724S2701
Applicable component levels
R712 PSN
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSB2MV","label":"Rational Build Forge"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
31 August 2011