ELM 7.0.2 iFix004, ELM 7.0.1 iFix009, CLM 6.0.6.1 iFix018, and CLM 6.0.6 iFix022 changed the behavior of all OpenSocial gadgets and RSS feeds that fetch content from an external service or location. The change was made to decrease the SSRF vulnerability by allowing communication to sites explicitly listed in the "allowlist." Although reducing the security vulnerability of ELM/CLM, this change can prevent some widgets from functioning when these interim fixes are applied.
Before ELM 7.0.2 iFix004, ELM 7.0.1 iFix009, CLM 6.0.6.1 iFi018, and CLM 6.0.6 iFix022, the default allowlist (also referred to as a “allowlist”) allowed all OpenSocial gadgets and RSS feeds to communicate freely, and did not block any interactions. With these interim fixes, all communication from OpenSocial gadgets and RSS feeds that fetch content from an external service or location are blocked by default.
Follow the instructions in this document to allow the OpenSocial gadgets and RSS feeds to communicate to appropriate sites.
Setting up the allowlist to prevent SSRF attacks
Server-Side Request Forgery (SSRF) vulnerabilities might occur when a web application includes functions to fetch content from an external service or location. The external service might be a public third-party service or an internal private system.
Attackers use this vulnerability to send requests to other public systems, internal systems within the organization, or services available on the local loopback adapter of the application server itself.
A successful attack might cause the application to disclose sensitive information to the attacker or to induce the application to retrieve and process malicious content. When Engineering Lifecycle Management (ELM) is used as an attack proxy, an attacker might attempt the following attack vectors through the SSRF vulnerability:
- Bypass access controls that prevent accessing internal or external URLs, services, systems, and content.
- Conduct port scanning of host in internal networks.
To prevent the SSRF issue, ELM must maintain an allowlist of externally requested services and hosts and block any interactions that do not appear on the allowlist.
To set up the allowlist, you must configure the following service areas:
- External resources allowlist property on the Advanced Properties page of the Jazz Team Server (JTS). Note: This property is available only on the JTS and affects OpenSocial gadgets and the RSS Feeds service.
- The Whitelist (Outbound) page for each registered application.
Complete the following steps to configure the required settings:
1. On the Jazz Team Server Administration page, click the Administration icon; then, click Manage Server.
2. On the Advanced Properties page, configure the External resources allowlist property by adding URLs for Gadgets and Feeds for all apps.
Note:
- Enter absolute URLs separated by a comma. Do not add a space after the comma.
- You can enter an asterisk (*) to allow all URLs.
3. Optionally, to customize filtering for each app, scroll down and configure the Jazz Authentication Proxy Whitelist (this is shown in some versions as Jazz Authentication Proxy allowlist). This list is added to the External resources allowlist as the URLs which are allowed through the proxy.
Repeat the following steps for each registered application:
4. To allow access for each registered application, on that application's Server Administration page, click the Administration icon and then, click Manage Server.
5. Under Communication, click Whitelist (Outbound).
6. On the URL Whitelist page, in the Enter Base URL field, enter the absolute URL for the registered app.
Note: This setting affects several features in ELM, including the OpenSocial gadgets and RSS Feeds.
- Changes require 10 minutes to take effect.
- URLs to friends and registered apps are allowed on both of the allow lists. An empty list blocks all external URLs.
- OpenSocial Gadgets and the RSS Feed service allow connections to any URL that is on either the External resources allowlist or on the Jazz Authentication Proxy allowlist.
- To restore the old behavior in the versions before 7.0.1 iFix009 and 7.0.2 iFix004, enter an asterisk (*) in the External resources allowlist property to allow all URLs.
[{"Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPRJQ","label":"IBM Engineering Lifecycle Management Base"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"Continuous Engineering-\u003ESecurity"},{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server-\u003ESecurity Vulnerabilities"},{"code":"a8m50000000CjLHAA0","label":"Test Management-\u003ESecurity and Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2;and future releases","Type":"MASTER"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVLZ","label":"IBM Engineering Requirements Management DOORS Next"},"ARM Category":[{"code":"a8m50000000L2CkAAK","label":"Continuous Engineering-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.6;7.0.1;7.0.2;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUVV6","label":"IBM Engineering Test Management"},"ARM Category":[{"code":"a8m50000000CjLHAA0","label":"Test Management-\u003ESecurity and Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"ARM Category":[{"code":"a8m50000000CjdlAAC","label":"Workflow Management-\u003ESecurity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0.1;7.0.2;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJJ9R","label":"Rational DOORS Next Generation"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server-\u003ESecurity Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSR27Q","label":"Rational Quality Manager"},"ARM Category":[{"code":"a8m50000000CjLHAA0","label":"Test Management-\u003ESecurity and Authentication"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCP65","label":"Rational Team Concert"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server-\u003ESecurity Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.0;and future releases"},{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYMRC","label":"Rational Collaborative Lifecycle Management"},"ARM Category":[{"code":"a8m0z000000CbPxAAK","label":"Jazz Team Server-\u003ESecurity Vulnerabilities"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0.6;and future releases"}]