IBM Support

JR53209: SECURITY APAR - CVE-2015-1904 - MISSING AUTHORIZATION FOR UPLOADING AND DOWNLOADING DOCUMENTS IN ECM

Direct links to fixes

8.0.1.3-WS-BPM-IFJR53209
8.5.0.1-WS-BPM-IFJR53209
8.5.5.0-WS-BPM-IFJR53209
8.5.6.0-WS-BPM-IFJR53209
bpm.8560.cf1.delta.repository.1
bpm.8560.cf1.delta.repository.2
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • IBM Business Process Manager (BPM) offers integration with
external Enterprise Content Management (ECM) systems. If a
process app is configured to always connect to an external ECM
system by using a predefined technical system account rather
than the actual end user, the process app developer cannot
prevent documents from being uploaded to or downloaded from the
external ECM system.

PRODUCTS AFFECTED:
IBM BPM Advanced
IBM BPM Standard
IBM BPM Express

Local fix

  • 



Problem summary


    

  • No additional information is available.

    



Problem conclusion


    

  • A fix is available for IBM BPM V8.0.1.3, V8.5.0.1, V8.5.5.0, and
 V8.5.6.0 that introduces additional functionality to the
product with the use of a server-side configuration option to
enable or disable a customizable security service. This service
can check the permission of a user and can be created and
selected by using the new service selector labeled External ECM
Document Authorization Service, which is added to the Server
Settings for the added Enterprise Content Manager Servers and is
 necessary for server definitions with "Always use this
connection information" enabled.

The Document List and Document Viewer coach views use this
service from the Content Management (SYSCM) toolkit when they
creation, update, and download documents, which cannot be
customized by using an Ajax service. The service is not used
when you directly invoke the Content Integration operation from
a human service, Ajax service, or integration service.

This service should have the following signature:

Input parameters
-documentId (ECMID)
-objectTypeId (ECMID)
-action (String) The actions available for creating,
downloading, and updating external ECM documents are:
"ACTION_CREATE_DOCUMENT", "ACTION_GET_DOCUMENT_CONTENT", and
"ACTION_UPDATE_DOCUMENT" respectively
-serverName (String)

Output parameter
-authorized (Boolean)

The following example is a sample configuration of the new
property, which you can configure in the 100Custom.xml file:

<server>
  <!-- enable the document authorization security service -->

<enable-document-authorization-security-service>true</enable-doc
ument-authorization-security-service>
</server>

For more information about changing server properties, see
?Changing server properties in 100Custom.xml?
(http://www.ibm.com/support/knowledgecenter/SSFTDH_8.0.1/com.ibm
.wbpm.admin.doc/topics/changing_server_props.html).

Note: The new configuration option is enabled and no service is
defined by default. To continue using the Document List and
Document Viewer coach views, create or implement the security
service or disable it by setting the configuration option
previously mentioned to false in the 100Custom.xml file.
However, setting this property to false disables the
authorization service, which means Document List and Document
Viewer coach views will work as before, without authorization
for uploading and downloading documents from an ECM.

On Fix Central (http://www.ibm.com/support/fixcentral), search
for JR53209:

    1. Select IBM Business Process Manager with your edition
from the product selector, the installed version to the fix pack
level, and your platform, and then click Continue.
    2. Select APAR or SPR, enter JR53209, and click Continue.

When you download fix packages, ensure that you also download
the readme file for each fix. Review each readme file for
additional installation instructions and information about the
fix.

    



Temporary fix


    

  • N/A

    



Comments


    

  • 



APAR Information




    

  • APAR number
    JR53209
    • 

  • Reported component name
    BPM ADVANCED
    • 

  • Reported component ID
    5725C9400
    • 

  • Reported release
    856
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2015-04-29
    • 

  • Closed date
    2015-07-29
    • 

  • Last modified date
    2015-07-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    BPM ADVANCED
    • 

  • Fixed component ID
    5725C9400
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSFTN5","label":"IBM Business Process Manager Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"856","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 August 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback