Direct links to fixes
8.6.0.201803-WS-BPM-IFJR62801
8.6.20020001-WS-BPM-IFJR62453
8.5.7.201706-WS-BPM-IFJR62453
8.6.10019003-WS-BPM-IFJR62453
8.6.10019002-WS-BPM-IFJR62453
8.6.10019001-WS-BPM-IFJR62453
8.6.10018001-WS-BPM-IFJR62453
8.6.0.201803-WS-BPM-IFJR62453
workflow.20001.delta.repository
8.6.10019003-WS-BPM-IFJR61612
8.6.10019002-WS-BPM-IFJR61612
8.6.10019001-WS-BPM-IFJR61612
8.6.10018001-WS-BPM-IFJR61612
8.6.0.201803-WS-BPM-IFJR61612
8.5.7.201706-WS-BPM-IFJR61612
APAR status
Closed as program error.
Error description
CMIS query in content integration service can return the list of documents in the repository although the current user has no access to it. Even if they can not be downloaded an attacker might be able to see what is stored in the system when manipulating the CMIS query (e.g. by removing the WHERE clause).
Local fix
n/a
Problem summary
No additional information is available.
Problem conclusion
A fix that ensures a CMIS query with a BPD endpoint doesn't return more documents will be included in a future release of Business Automation Workflow.
Temporary fix
Comments
APAR Information
APAR number
JR61612
Reported component name
BUS AUTO WORKFL
Reported component ID
5737H4100
Reported release
J00
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-10-16
Closed date
2020-02-26
Last modified date
2020-02-26
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BUS AUTO WORKFL
Fixed component ID
5737H4100
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8JB4","label":"IBM Business Automation Workflow"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"19.0.0.1"}]
Document Information
Modified date:
18 November 2020