IBM Support

Changes to Engineering Lifecycle Management related to Server-Side Request Forgery (SSRF) vulnerabilities.

How To


Summary

ELM 7.0.2 iFix004, ELM 7.0.1 iFix009, CLM 6.0.6.1 iFix018, and CLM 6.0.6 iFix022 changed the behavior of all OpenSocial gadgets and RSS feeds that fetch content from an external service or location. The change was made to decrease the SSRF vulnerability by allowing communication to sites explicitly listed in the "allowlist." Although reducing the security vulnerability of ELM/CLM, this change can prevent some widgets from functioning when these interim fixes are applied.

Objective

Before ELM 7.0.2 iFix004, ELM 7.0.1 iFix009, CLM 6.0.6.1 iFi018, and CLM 6.0.6 iFix022, the default allowlist (also referred to as a “whitelist”) allowed all OpenSocial gadgets and RSS feeds to communicate freely, and did not block any interactions. With these interim fixes, all communication from OpenSocial gadgets and RSS feeds that fetch content from an external service or location are blocked by default.
Follow the instructions in this document to allow the OpenSocial gadgets and RSS feeds to communicate to appropriate sites.

Steps

Setting up the allowlist to prevent SSRF attacks

Server-Side Request Forgery (SSRF) vulnerabilities might occur when a web application includes functions to fetch content from an external service or location. The external service might be a public third-party service or an internal private system.

Attackers use this vulnerability to send requests to other public systems, internal systems within the organization, or services available on the local loopback adapter of the application server itself.

A successful attack might cause the application to disclose sensitive information to the attacker or to induce the application to retrieve and process malicious content. When Engineering Lifecycle Management (ELM) is used as an attack proxy, an attacker might attempt the following attack vectors through the SSRF vulnerability:

  • Bypass access controls that prevent accessing internal or external URLs, services, systems, and content.
  • Conduct port scanning of host in internal networks.

To prevent the SSRF issue, ELM must maintain an allowlist of externally requested services and hosts and block any interactions that do not appear on the allowlist.

To set up the allowlist, you must configure the following service areas:

  1. External resources allowlist property on the Advanced Properties page of the Jazz Team Server (JTS).

Note: This property is available only on the JTS and affects OpenSocial gadgets and the RSS Feeds service.

  1. The Whitelist (Outbound) page for each registered application.

Complete the following steps to set up the allowlist:

  1. On the Jazz Team Server Administration page, click the Administration icon; then, click Manage Server.
  2. On the Advanced Properties page, configure the External resources allowlist property by adding URLs for Gadgets and Feeds for all apps.

Note:

  • Enter absolute URLs separated by a comma. Do not add a space after the comma.
  • You can enter an asterisk (*) to allow all URLs.

image-20210624190234-1

  1. Next, to customize filtering for each app, scroll down and configure the Jazz Authentication Proxy Whitelist property.
  2. To allow access for each registered application, on the Server Administration page, click the Administration icon and then, click Manage Server.
  3. Under Communication, click Whitelist (Outbound).
  4. On the URL Whitelist page, in the Enter Base URL field, enter the absolute URL for the registered app.

Note: This setting affects several features in ELM, including the OpenSocial gadgets and RSS Feeds.

image-20210624190234-2

Additional Information

  • Changes require 10 minutes to take effect.
  • URLs to friends and registered apps are allowed on both of the allow lists. An empty list blocks all external URLs.
  • OpenSocial Gadgets and the RSS Feed service allow connections to any URL that is on either the External resources allowlist or on the Jazz Authentication Proxy Whitelist.
  • To restore the old behavior in the versions before 7.0.1 iFix009 and 7.0.2 iFix004, enter an asterisk (*) in the External resources allowlist property to allow all URLs.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"Continuous Engineering->Security"},{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server->Security Vulnerabilities"},{"code":"a8m50000000CjLHAA0","label":"Test Management->Security and Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2;and future releases","Type":"MASTER"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"Continuous Engineering->Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.6;7.0.1;7.0.2;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"ARM Category":[{"code":"a8m50000000CjLHAA0","label":"Test Management->Security and Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"ARM Category":[{"code":"a8m50000000CjdlAAC","label":"Workflow Management->Security"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJJ9R","label":"Rational DOORS Next Generation"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server->Security Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SSR27Q","label":"Rational Quality Manager"},"ARM Category":[{"code":"a8m50000000CjLHAA0","label":"Test Management->Security and Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server->Security Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB02","label":"AI Applications"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMRC","label":"Rational Collaborative Lifecycle Management"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server->Security Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.6;and future releases"}]

Document Information

Modified date:
25 June 2021

UID

ibm16466981