JR53209: SECURITY APAR - CVE-2015-1904 - MISSING AUTHORIZATION FOR UPLOADING AND DOWNLOADING DOCUMENTS IN ECM
Direct links to fixes
Version 8.5.0 Fix Pack 2 for the IBM Business Process Manager products
Version 8.5 Refresh Pack 7 for the IBM Business Process Manager products
Closed as program error.
IBM Business Process Manager (BPM) offers integration with external Enterprise Content Management (ECM) systems. If a process app is configured to always connect to an external ECM system by using a predefined technical system account rather than the actual end user, the process app developer cannot prevent documents from being uploaded to or downloaded from the external ECM system. PRODUCTS AFFECTED: IBM BPM Advanced IBM BPM Standard IBM BPM Express
No additional information is available.
A fix is available for IBM BPM V184.108.40.206, V220.127.116.11, V18.104.22.168, and V22.214.171.124 that introduces additional functionality to the product with the use of a server-side configuration option to enable or disable a customizable security service. This service can check the permission of a user and can be created and selected by using the new service selector labeled External ECM Document Authorization Service, which is added to the Server Settings for the added Enterprise Content Manager Servers and is necessary for server definitions with "Always use this connection information" enabled. The Document List and Document Viewer coach views use this service from the Content Management (SYSCM) toolkit when they creation, update, and download documents, which cannot be customized by using an Ajax service. The service is not used when you directly invoke the Content Integration operation from a human service, Ajax service, or integration service. This service should have the following signature: Input parameters -documentId (ECMID) -objectTypeId (ECMID) -action (String) The actions available for creating, downloading, and updating external ECM documents are: "ACTION_CREATE_DOCUMENT", "ACTION_GET_DOCUMENT_CONTENT", and "ACTION_UPDATE_DOCUMENT" respectively -serverName (String) Output parameter -authorized (Boolean) The following example is a sample configuration of the new property, which you can configure in the 100Custom.xml file: <server> <!-- enable the document authorization security service --> <enable-document-authorization-security-service>true</enable-doc ument-authorization-security-service> </server> For more information about changing server properties, see ?Changing server properties in 100Custom.xml? (http://www.ibm.com/support/knowledgecenter/SSFTDH_8.0.1/com.ibm .wbpm.admin.doc/topics/changing_server_props.html). Note: The new configuration option is enabled and no service is defined by default. To continue using the Document List and Document Viewer coach views, create or implement the security service or disable it by setting the configuration option previously mentioned to false in the 100Custom.xml file. However, setting this property to false disables the authorization service, which means Document List and Document Viewer coach views will work as before, without authorization for uploading and downloading documents from an ECM. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR53209: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR53209, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Reported component name
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
Fixed component ID
Applicable component levels