Fixes are available
APAR status
Closed as program error.
Error description
You cannot restrict file uploads by mime-type in a document list coach view. As a result, HTML that contains embedded JavaScript can be uploaded and run in the browser.
Local fix
Problem summary
The IBM BPM document management feature might allow a remote attacker to include arbitrary files. A remote attacker might upload a malicious file from a remote system, which might allow the attacker to run arbitrary code on the vulnerable web server.
Problem conclusion
A fix is available for IBM BPM 7.2.0.5, 7.5.1.2, 8.0.1.2 and 8.5.0.1 that introduces additional functionality to the product with two server-side configuration options (one for file uploads and one for file downloads): A server-side configuration option is introduced which allows an optional white-list of mime-types to be specified. Mime-types included in the list will be allowed for upload while all other mime types will be blocked from upload. A server-side configuration option is introduced which allows an optional black-list of mime-type mappings to be specified. Each mime-type mapping allows for a conversion to be made from a specific mime-type to a specific mime-type upon download. The following example is a sample configuration of new options, which you can configure in the 100Custom.xml file: <server> <!-- mime type white list which specifies mime types accepted for --> <!-- upload to document list or document attachment --> <document-attachment-accepted-mime-types> <!-- specifies whether to allow a null mime type for upload --> <allow-null-mime-type>false</allow-null-mime-type> <!-- lists the mime types allowed for upload --> <mime-type>text/plain</mime-type> <mime-type>img/png</mime-type> </document-attachment-accepted-mime-types> <!-- mime type black list which specifies mappings from unacceptable --> <!-- mime types to acceptable mime types for download from --> <!-- document list or document attachment --> <document-attachment-download-mime-types> <!-- will map text/html mime type to text/plain mime type --> <mime-type-map> <from>text/html</from> <to>text/plain</to> </mime-type-map> <!-- missing <to> element implies mapping to content/octet-stream --> <mime-type-map> <from>application/pdf</from> </mime-type-map> </document-attachment-download-mime-types> </server> Note: The default configuration (without configuration information provided in 100Custom.xml) acts as a blacklist for the text/html mime-type and maps it to the text/plain mime-type. Providing a configuration in 100Custom.xml overrides the default configuration. As a result, for text/html to remain on the blacklist, it should be explicitly added in 100Custom.xml. To retrieve this fix, on Fix Central (http://www.ibm.com/support/fixcentral) search for JR50092: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR50092, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR50092
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-04-29
Closed date
2014-08-29
Last modified date
2014-08-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R751 PSY
UP
R801 PSY
UP
R850 PSY
UP
R855 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
14 October 2021