IBM Support

JR55701: SECURITY APAR - CVE-2016-0349 - INCORRECT AUTHORIZATION FOR UPDATE OF PROCESS INSTANCE VARIABLES IN IBM BPM

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Because the action of updating process instance variables is not
    correctly authorized, users without required permission can
    update process instance variables in IBM Business Process
    Manager.
    

Local fix

Problem summary

  • IBM Business Process Manager (BPM) provides a REST API to update
    process instance variables that applies insufficient
    authorization checks.
    
    PRODUCTS AFFECTED
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.6 and V8.5.7 that adds an
    authorization check for the REST API. This check verifies that
    the user is either an IBM BPM admin or member of the IBM Process
    Portal admin team that is defined for the process application
    containing the process instance. As long as no IBM Process
    Portal admin team is defined, you can authorize additional users
    by setting the ACTION_UPDATE_INSTANCE_VARIABLE action policy.
    
    If set to "false", the members defined for an action policy can
    perform the corresponding action, regardless of whether the
    Portal Admin Team is defined.
    
    For IBM BPM V8.5.6 Cumulative Fix 2, go to Fix Central
    (http://www.ibm.com/support/fixcentral) and search for JR55701:
    
    1. Select IBM Business Process Manager with your edition from
      the product selector, the installed version to the fix pack
      level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR55701, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    
    For IBM BPM V8.5.7, a fix will be included in an upcoming IBM
    Business Process Manager (BPM) V8.5 cumulative maintenance
    vehicle.
    
    To determine whether the cumulative fix is available and
    download it if it is, complete the following steps on Fix
    Central:
    
    1. Select IBM Business Process Manager with your edition from
    the product selector, the installed version to the fix pack
    level, and your platform, and then click Continue.
    2. Select Text, enter ?cumulative fix?, and click Continue.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR55701

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    856

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2016-04-06

  • Closed date

    2016-06-24

  • Last modified date

    2016-06-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R856 PSY

       UP

  • R857 PSY

       UP



Document information

More support for: IBM Business Process Manager Standard

Software version: 856

Reference #: JR55701

Modified date: 24 June 2016