IBM Support

IV77992: TIVOLI PORTAL REST INTERFACE PRIVILEGES ESCALATION THROUGH AUTHORIZATION BYPASS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • using the http interface between the Tivoli Portal client and
    server an attacker can modify the packets sent, thus changing
    authority/permission levels for user acounts.
    

Local fix

Problem summary

  • If using the http/s interface between the Tivoli Enterpise
    Portal  client and Tivoli Enterprise Portal Server, an malicious
    attacker can modify the packets sent, thus changing
    authority/permission levels for user accounts.
    

Problem conclusion

  • The APAR fix introduces additional authorization checking by the
     Tivoli Enterprise Portal Server before any user administration
    action is performed.
    
    The fix for this APAR is contained in the following maintenance
    packages:
    
       | fix pack | 6.3.0-TIV-ITM-FP0007
       | provisional fix | 6.3.0-TIV-ITM-FP0006-IV77992
       | provisional fix | 6.3.0-TIV-ITM-FP0005-IV77992
       | provisional fix | 6.2.3-TIV-ITM-FP0005-IV77992
       | provisional fix | 6.2.2-TIV-ITM-FP0009-IV77992
    
    
    NOTE:  The fix for IV77992 requires the patch be installed on
    the portal server.  In addition to this, the patch needs to be
    installed on the systems where the tacmd CLI is installed and
    utilized.  The CLI is installed as part of the "ue" component.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV77992

  • Reported component name

    TEP

  • Reported component ID

    5724C04EP

  • Reported release

    630

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-13

  • Closed date

    2017-01-06

  • Last modified date

    2017-01-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TEP

  • Fixed component ID

    5724C04EP

Applicable component levels

  • R630 PSY

       UP

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630"}]

Document Information

Modified date:
30 December 2022