Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)

Summary

IBM Business Process Manager offers integration with external Enterprise Content Management (ECM) systems. If a process app is configured to always connect to an external ECM system using a predefined technical system account (rather than the actual end user), then the process app developer has no way of controlling access to upload or download functions for documents in the external ECM system.

Vulnerability Details

CVEID: CVE-2015-1904**
DESCRIPTION:** IBM Business Process Manager offers integration with external Enterprise Content Management (ECM) systems. If a process app is configured to always connect to an external ECM system using a predefined technical system account (rather than the actual end user), then the process app developer has no way of controlling access to upload or download functions for documents in the external ECM system.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101728&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

• IBM Business Process Manager V8.0.x through V8.5.6.0

Remediation/Fixes

Install the interim fix for APAR JR53209 as appropriate for your current IBM Business Process Manager version.

• IBM Business Process Manager Express
• IBM Business Process Manager Standard
• IBM Business Process Manager Advanced

This fix introduces a server-side configuration option to enable/disable a customizable security service. This service can check the permission of a user and can be created and selected using the new service selector labeled “External ECM Document Authorization Service”. It is added to the Server Settings for the added Enterprise Content Manager Server(s) and is needed for server definitions with the “Always use this connection information” checkbox enabled.

The service is used by the Document List and Document Viewer coach views from the Content Management (SYSCM) toolkit when they perform operations that cannot be customized using an Ajax Service. These operations are the creation, update, and download of a document. The service is not used when you directly invoke the Content Integration operation from a human service, Ajax service, and integration service.

This service should have the following signature:

Input parameters:
1. documentId (ECMID)
2. objectTypeId (ECMID)
3. action (String) The actions available for creating, downloading, and updating external ECM documents are: “ACTION_CREATE_DOCUMENT”, “ACTION_GET_DOCUMENT_CONTENT”, and “ACTION_UPDATE_DOCUMENT” respectively.
4. serverName (String)

Output parameter:
1. authorized (Boolean)

The following example is a sample configuration of new option, which you can configure in the 100Custom.xml file:

<server>
<!-- enable the document authorization security service –>
<enable-document-authorization-security-service>true</enable-document-authorization-security-service>
</server>

For more information, see “Changing server properties in 100Custom.xml” and “The 99Local.xml and 100Custom.xml configuration files”.

Note: The new configuration option is enabled and no service is defined by default. In order to continue using the Document List and Document Viewer coach views, the security service should either be created and implemented or it should be disabled by setting the configuration option mentioned above to false in the 100Custom.xml file.

Workarounds and Mitigations

None