IBM Support

RS03197: JPS MANAGEJOBSPROGRESS COULD BE INVOKED BY AN UNAUTHENTICATED USER

Fixes are available

Operational Decision Manager V8.8.1.3: Interim Fix 88
Operational Decision Manager V8.8.1.3: Interim Fix 89
Operational Decision Manager V8.8.1.3: Interim Fix 90
Operational Decision Manager V8.8.1.4 Fix Pack
Operational Decision Manager V8.8.1.3: Interim Fix 92
Operational Decision Manager V8.8.1.3: Interim Fix 93
Operational Decision Manager V8.8.1.3: Interim Fix 94
Operational Decision Manager V8.8.1.3: Interim Fix 95
Operational Decision Manager V8.9.2.2 Fix Pack
Operational Decision Manager for z/OS 8.9.2.2 Fix Pack
Operational Decision Manager V8.8.1.3: Interim Fix 97
Operational Decision Manager V8.8.1.3: Interim Fix 98
Operational Decision Manager V8.8.1.3: Interim Fix 101
Operational Decision Manager V8.8.1.4: Interim Fix 8

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The code in the JSP /manageJobsProgress.jsp could be invoked
by an unauthenticated user by simply entering the URL in a web
browser and a HTTP Status 200 is returned instead of a HTTP
status 401 Unauthorized

Notes:
1. This JSP is only invoked by Enterprise console when working
with DVS
2. If the request is forged (change the value of a parameter
for example), the server answers HTTP Status 200 but the
back-end code is not invoked.
3. If the request has the correct parameters, the server
answers HTTP Status 200 and the back-end code could be invoked.
The execution could be random but it only does read-only access
to the data.

Local fix

  • N/A

Problem summary

  • ****************************************************************
* USERS AFFECTED:                                              *
* Users in the decision center.                                *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* Unauthenticated users can access some ODM pages, which could *
* cause unauthorized use of ODM.                               *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

Problem conclusion

  • The code was fixed.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    RS03197
    • 

  • Reported component name
    WS DECISION CTR
    • 

  • Reported component ID
    5725B6900
    • 

  • Reported release
    881
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-09-21
    • 

  • Closed date
    2018-09-24
    • 

  • Last modified date
    2018-09-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WS DECISION CTR
    • 

  • Fixed component ID
    5725B6900
    • 



Applicable component levels


    

  • R881  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQP76","label":"IBM Operational Decision Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"881","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback