IBM Support

Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)

Security Bulletin


Summary

IBM Business Process Manager offers integration with external Enterprise Content Management (ECM) systems. If a process app is configured to always connect to an external ECM system using a predefined technical system account (rather than the actual end user), then the process app developer has no way of controlling access to upload or download functions for documents in the external ECM system.

Vulnerability Details

CVEID: CVE-2015-1904
DESCRIPTION:
 IBM Business Process Manager offers integration with external Enterprise Content Management (ECM) systems. If a process app is configured to always connect to an external ECM system using a predefined technical system account (rather than the actual end user), then the process app developer has no way of controlling access to upload or download functions for documents in the external ECM system.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101728 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

  • IBM Business Process Manager V8.0.x through V8.5.6.0

Remediation/Fixes

Install the interim fix for APAR JR53209 as appropriate for your current IBM Business Process Manager version.



This fix introduces a server-side configuration option to enable/disable a customizable security service. This service can check the permission of a user and can be created and selected using the new service selector labeled "External ECM Document Authorization Service". It is added to the Server Settings for the added Enterprise Content Manager Server(s) and is needed for server definitions with the "Always use this connection information" checkbox enabled.

The service is used by the Document List and Document Viewer coach views from the Content Management (SYSCM) toolkit when they perform operations that cannot be customized using an Ajax Service. These operations are the creation, update, and download of a document. The service is not used when you directly invoke the Content Integration operation from a human service, Ajax service, and integration service.

This service should have the following signature:

Input parameters:
1. documentId (ECMID)
2. objectTypeId (ECMID)
3. action (String) The actions available for creating, downloading, and updating external ECM documents are: "ACTION_CREATE_DOCUMENT", "ACTION_GET_DOCUMENT_CONTENT", and "ACTION_UPDATE_DOCUMENT" respectively.
4. serverName (String)

Output parameter:
1. authorized (Boolean)

The following example is a sample configuration of new option, which you can configure in the 100Custom.xml file:

<server>
<!-- enable the document authorization security service -->
<enable-document-authorization-security-service>true</enable-document-authorization-security-service>
</server>

For more information, see “Changing server properties in 100Custom.xml” and “The 99Local.xml and 100Custom.xml configuration files”.

Note: The new configuration option is enabled and no service is defined by default. In order to continue using the Document List and Document Viewer coach views, the security service should either be created and implemented or it should be disabled by setting the configuration option mentioned above to false in the 100Custom.xml file.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Off

Change History

2015-07-29: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.6;8.5.5;8.5.0.1;8.5;8.0.1.3;8.0.1.2;8.0.1.1;8.0.1;8.0","Edition":""},{"Product":{"code":"SSFTBX","label":"IBM Business Process Manager Express"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"","label":"Linux zSeries"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6;8.5.5;8.5.0.1;8.5;8.0.1.3;8.0.1.2;8.0.1.1;8.0.1;8.0","Edition":""},{"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"","label":"Linux zSeries"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.6;8.5.5;8.5.0.1;8.5;8.0.1.3;8.0.1.2;8.0.1.1;8.0.1;8.0","Edition":""}]

Document Information

Modified date:
15 June 2018

UID

swg21960293