JR55701: SECURITY APAR - CVE-2016-0349 - INCORRECT AUTHORIZATION FOR UPDATE OF PROCESS INSTANCE VARIABLES IN IBM BPM
Direct links to fixes
Closed as program error.
Because the action of updating process instance variables is not correctly authorized, users without required permission can update process instance variables in IBM Business Process Manager.
IBM Business Process Manager (BPM) provides a REST API to update process instance variables that applies insufficient authorization checks. PRODUCTS AFFECTED IBM Business Process Manager (BPM) Advanced IBM BPM Standard IBM BPM Express
A fix is available for IBM BPM V8.5.6 and V8.5.7 that adds an authorization check for the REST API. This check verifies that the user is either an IBM BPM admin or member of the IBM Process Portal admin team that is defined for the process application containing the process instance. As long as no IBM Process Portal admin team is defined, you can authorize additional users by setting the ACTION_UPDATE_INSTANCE_VARIABLE action policy. If set to "false", the members defined for an action policy can perform the corresponding action, regardless of whether the Portal Admin Team is defined. For IBM BPM V8.5.6 Cumulative Fix 2, go to Fix Central (http://www.ibm.com/support/fixcentral) and search for JR55701: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR55701, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix. For IBM BPM V8.5.7, a fix will be included in an upcoming IBM Business Process Manager (BPM) V8.5 cumulative maintenance vehicle. To determine whether the cumulative fix is available and download it if it is, complete the following steps on Fix Central: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select Text, enter ?cumulative fix?, and click Continue.
Reported component name
Reported component ID
NoSpecatt / Xsystem
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels