Security Bulletin: IBM Maximo Asset Management is vulnerable to Privilege Escalation (CVE-2019-4530)

Workarounds and Mitigations

The MXAPIPWODETAIL object structure provides information on work order records in Maximo. While work center users need access to read, insert, and save work orders using this object structure, they do not need access to delete work orders. The APAR fix removes the DELETE authorization for the MXAPIWODETAIL object structure from the TECHNICIAN and SUPERVISOR templates.
 
While this fix ensures that incorrect access settings are not applied to any future groups, it does not revoke the existing delete access that was previously granted by the templates. You must remove access to the DELETE authorization in the MXAPIWODETAIL object structure for all groups that are linked to either the SUPERVISOR or TECHNICIAN templates.
 
To remove the existing delete access, perform the following steps for each group that is linked to either the SUPERVISOR or TECHNICIAN templates:
 
1. Open the Security Groups application.
2. Find the group that is linked to either the SUPERVISOR or TECHNICIAN templates and open it.
3. Click the Object Structures tab.
4. In the Object Structures table, find the MXAPIWODETAIL row and select it.
5. In the options table, uncheck the Grant Access check box for only the Delete MXAPIWODETAIL option.
6. Save the record.
 
In versions of Maximo Asset Management prior to 7.6.1.2, you must also update the TECHNICIAN and SUPERVISOR templates to remove the DELETE authorization for the MXAPIWODETAIL object structure. However, you cannot modify out-of-the-box templates by using the user interface. You must execute the following database statement to remove the delete access: 
delete from wctemplateauth where app = 'MXAPIWODETAIL' and workcenter in ('TECHNICIAN','SUPERVISOR') and template in ('TECHNICIAN','SUPERVISOR') and optionname='DELETE';