JR50984: SECURITY APAR - CVE-2014-4802 - SAVED SEARCH ADMIN SHOWS RESULT FOR NON-AUTHORIZED USER

Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products

APAR status

• Closed as program error.

Error description

• When you create and run a saved search from the Saved Search
  Admin tab of the Process Admin Console, the result set might
  contain tasks or instances that the current user is not
  authorized to see.
  
  PRODUCTS AFFECTED:
  IBM Business Process Manager (BPM) Advanced
  IBM BPM Standard
  IBM BPM Express
  

Local fix

Problem summary

• Saved Search Admin does not use the current user as the context
  for running the saved search; as a result, entries that the
  current user is not authorized to see are returned.
  

Problem conclusion

• Fixes for IBM BPM V8.0.1.3, V8.5.0.1, and V8.5.5.0 are available
   that return information in the context of only the current
  user.
  
  On Fix Central (http://www.ibm.com/support/fixcentral), search
  for JR50984:
  
  1. Select IBM Business Process Manager with your edition from
  the product selector, the installed version to the fix pack
  level, and your platform, and then click Continue.
  2. Select APAR or SPR, enter JR50984, and click Continue.
  
  When you download fix packages, ensure that you also download
  the readme file for each fix. Review each readme file for
  additional installation instructions and information about the
  fix.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM STANDARD

• Fixed component ID

  5725C9500

Applicable component levels

• R801 PSY

     UP

• R850 PSY

     UP

• R855 PSY

     UP