IBM Support

IV84740: VULNERABILITY - DIRECT OBJECT REFERENCE

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as fixed if next.

Error description

  • The issue reported is that a user opens their notification
    record, and then changes the spec id of that record in the URL
    by changing the last digits to open/view other TRIRIGA records.
    This is causing security vulnerability because user is able to
    see other TRIRIGA records which shouldn't be visible for them.
    
    Direct Object Reference vulnerabilities relate to the use of
    identifiers that are directly tied to content within a database
    or file system. Applications that expose Direct Object
    References are usually prone to security issues when one user
    is able to view content that belongs to another user by
    changing the reference value. Incomplete or inconsistent access
    controls are typically to blame for this vulnerability.
    

Local fix

  • No
    

Problem summary

  • Fixed. The Notification records with temporary password are
    viewable to all TRIRIGA users. A workflow has been created to
    delete the Notification record with temporary password after
    sending out an email Notification with temporary password to
    user.This issue will be resolved in our next major release
    version, which is tentatively planned for 2H 2016.
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    IV84740

  • Reported component name

    TRI APPLI SETUP

  • Reported component ID

    5725F25AS

  • Reported release

    A41

  • Status

    CLOSED FIN

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-05-12

  • Closed date

    2016-06-16

  • Last modified date

    2016-06-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

  • RA51 PSY

       UP



Document information

More support for: IBM TRIRIGA Portfolio Data Manager
IBM TRIRIGA Application Setup and Administration

Software version: A41

Reference #: IV84740

Modified date: 16 June 2016