IBM Support

JR53209: SECURITY APAR - CVE-2015-1904 - MISSING AUTHORIZATION FOR UPLOADING AND DOWNLOADING DOCUMENTS IN ECM

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) offers integration with
    external Enterprise Content Management (ECM) systems. If a
    process app is configured to always connect to an external ECM
    system by using a predefined technical system account rather
    than the actual end user, the process app developer cannot
    prevent documents from being uploaded to or downloaded from the
    external ECM system.
    
    PRODUCTS AFFECTED:
    IBM BPM Advanced
    IBM BPM Standard
    IBM BPM Express
    

Local fix

Problem summary

  • No additional information is available.
    

Problem conclusion

  • A fix is available for IBM BPM V8.0.1.3, V8.5.0.1, V8.5.5.0, and
     V8.5.6.0 that introduces additional functionality to the
    product with the use of a server-side configuration option to
    enable or disable a customizable security service. This service
    can check the permission of a user and can be created and
    selected by using the new service selector labeled External ECM
    Document Authorization Service, which is added to the Server
    Settings for the added Enterprise Content Manager Servers and is
     necessary for server definitions with "Always use this
    connection information" enabled.
    
    The Document List and Document Viewer coach views use this
    service from the Content Management (SYSCM) toolkit when they
    creation, update, and download documents, which cannot be
    customized by using an Ajax service. The service is not used
    when you directly invoke the Content Integration operation from
    a human service, Ajax service, or integration service.
    
    This service should have the following signature:
    
    Input parameters
    -documentId (ECMID)
    -objectTypeId (ECMID)
    -action (String) The actions available for creating,
    downloading, and updating external ECM documents are:
    "ACTION_CREATE_DOCUMENT", "ACTION_GET_DOCUMENT_CONTENT", and
    "ACTION_UPDATE_DOCUMENT" respectively
    -serverName (String)
    
    Output parameter
    -authorized (Boolean)
    
    The following example is a sample configuration of the new
    property, which you can configure in the 100Custom.xml file:
    
    <server>
      <!-- enable the document authorization security service -->
    
    <enable-document-authorization-security-service>true</enable-doc
    ument-authorization-security-service>
    </server>
    
    For more information about changing server properties, see
    ?Changing server properties in 100Custom.xml?
    (http://www.ibm.com/support/knowledgecenter/SSFTDH_8.0.1/com.ibm
    .wbpm.admin.doc/topics/changing_server_props.html).
    
    Note: The new configuration option is enabled and no service is
    defined by default. To continue using the Document List and
    Document Viewer coach views, create or implement the security
    service or disable it by setting the configuration option
    previously mentioned to false in the 100Custom.xml file.
    However, setting this property to false disables the
    authorization service, which means Document List and Document
    Viewer coach views will work as before, without authorization
    for uploading and downloading documents from an ECM.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR53209:
    
        1. Select IBM Business Process Manager with your edition
    from the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
        2. Select APAR or SPR, enter JR53209, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • N/A
    

Comments

APAR Information

  • APAR number

    JR53209

  • Reported component name

    BPM ADVANCED

  • Reported component ID

    5725C9400

  • Reported release

    856

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-04-29

  • Closed date

    2015-07-29

  • Last modified date

    2015-07-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM ADVANCED

  • Fixed component ID

    5725C9400

Applicable component levels

  • R801 PSY

       UP

  • R850 PSY

       UP

  • R855 PSY

       UP

  • R856 PSY

       UP



Document information

More support for: IBM Business Process Manager Advanced

Software version: 856

Reference #: JR53209

Modified date: 29 July 2015