Security Bulletin
Summary
IBM Maximo Asset Management could allow an authenticated user to delete a record that they should not normally be able to.
Vulnerability Details
CVEID: CVE-2019-4530
DESCRIPTION: IBM Maximo Asset Management could allow an authenticated user to delete a record that they should not normally be able to.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
Affected Product(s) | Version(s) |
IBM Maximo Asset Management | 7.6.0 |
IBM Maximo Asset Management | 7.6.1 |
IBM Maximo Asset Management | 7.6.1.1 |
Remediation/Fixes
Please refer to Workarounds and Mitigations
Workarounds and Mitigations
The MXAPIPWODETAIL object structure provides information on work order records in Maximo. While work center users need access to read, insert, and save work orders using this object structure, they do not need access to delete work orders. The APAR fix removes the DELETE authorization for the MXAPIWODETAIL object structure from the TECHNICIAN and SUPERVISOR templates.
While this fix ensures that incorrect access settings are not applied to any future groups, it does not revoke the existing delete access that was previously granted by the templates. You must remove access to the DELETE authorization in the MXAPIWODETAIL object structure for all groups that are linked to either the SUPERVISOR or TECHNICIAN templates.
To remove the existing delete access, perform the following steps for each group that is linked to either the SUPERVISOR or TECHNICIAN templates:
1. Open the Security Groups application.
2. Find the group that is linked to either the SUPERVISOR or TECHNICIAN templates and open it.
3. Click the Object Structures tab.
4. In the Object Structures table, find the MXAPIWODETAIL row and select it.
5. In the options table, uncheck the Grant Access check box for only the Delete MXAPIWODETAIL option.
6. Save the record.
In versions of Maximo Asset Management prior to 7.6.1.2, you must also update the TECHNICIAN and SUPERVISOR templates to remove the DELETE authorization for the MXAPIWODETAIL object structure. However, you cannot modify out-of-the-box templates by using the user interface. You must execute the following database statement to remove the delete access:
delete from wctemplateauth where app = 'MXAPIWODETAIL' and workcenter in ('TECHNICIAN','SUPERVISOR') and template in ('TECHNICIAN','SUPERVISOR') and optionname='DELETE';
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
15 Nov 2019: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
12 January 2022
UID
ibm11108503