JR42576: LOGIN PAGES FOR PROCESS CENTER AND PROCESS PORTAL SHOULD HAVE FAME BUSTING CODES

Version 8.0 Refresh Pack 1 for the IBM Business Process Manager products

APAR status

• Closed as program error.

Error description

• Customer noticed that login pages for Process Portal and Process
  Center
  don't have frame busting code to prevent login pages from being
  displayed inside a frame.
  
  Even though log in pages are always exposed to internal use,
  customer
  still wants to add frame busting code here to avoid potential
  vulnerability.
  

Local fix

• Fix will be created against BPM 7.5.1 and The issue will be
  fixed in BPM 8.
  

Problem summary

• ****************************************************************
  * USERS AFFECTED:  BPM 7.5.1 users that use early versions of  *
  *                  IE broswers (IE 5.5 and 6.x).               *
  ****************************************************************
  * PROBLEM DESCRIPTION: Process Portal and Process Center       *
  *                      login pages don't have frame busting    *
  *                      code.                                   *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  Process Portal and Process Center login pages don't have frame
  busting code to prevent login pages from being displayed
  inside a frame. Need to add frame busting code to avoid
  potential vulnerability.
  

Problem conclusion

• Frame busting code was added to fix the vulnerabilities.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM ADVANCED

• Fixed component ID

  5725C9400

Applicable component levels

• R750 PSY

     UP