When logging into TRIRIGA, I do not see all of the workflow actions that I should have access to, like New and Copy.
You did not have the Application Builder license applied. Make sure that you not only have full access to the Workflow Builder through the Security Manager, but that you also have the Application Builder license applied to your ID in your profile. Then go to the License Manager to make sure that you are listed for that particular license.
[Admin: This post is related to the 02.08.16 post about finding information on the IBM TRIRIGA licenses.]
[Updated 06.15.16 to add CVE-2016-2883 (2).]
[Updated 06.10.16 to add CVE-2016-2882.]
[Updated 05.31.16 to add CVE-2016-2883 (1).]
For convenience, here are the some recent CVE IDs.
||The IBM TRIRIGA Application Platform allows remote attackers to use one of its web services as a proxy to forward HTTP requests to other internal/external web resources.
||The IBM TRIRIGA Application Platform builder tools are vulnerable to a privilege escalation attack that can result in a user without access having the ability to modify TRIRIGA Applications.
||The IBM TRIRIGA Application Platform is vulnerable to cross-site request forgery (CSRF), caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious website, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.
||The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
||The IBM TRIRIGA Application Platform could disclose some sensitive server information through URL request responses that could aid an attacker in further attacks against the system.
|The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]
How did I miss this little nugget of awesomeness in 3.4.2?
“Production Mode is no longer needed in the platform. The system now refreshes the cache automatically when working in builder tools, removing the need for repeatedly loading metadata from the database. This eliminated a huge overhead on the database. (Tri-142286)”
Does anyone know definitively after loading OM packages if we should clear the cache?
No need. The system clears the cache when the import completes.
The TRIRIGA user is able to view or modify resources, and perform functions that they have not been authorized to, at various points throughout the application.
Steps to replicate:
- 1. Login to the application with a user who has access to Workflow Builder.
- 2. Navigate to edit a workflow. Copy the URL.
- 3. Login with a user who does NOT have access to Workflow Builder.
- 4. Adjust the security token in the copied URL and access the Workflow Builder with a non-authorized user.
In review of the failed pen test (penetration test), it seems this issue also exists for Reports (resolved), Lists, Globalization Manager, Currency Conversion, Portal Builder, and the UX Designers.
The TRIRIGA builder tools are vulnerable to privilege escalation. Moving forward, we fixed a privilege escalation vulnerability within the builder tools.
When loading or building a Query Task in the Workflow Builder, a blank window appears and fails to load the dialog. This only seems to occur with query tasks, and does not occur with field mapping, extended formulas, or similar windows within the builder tool set. When viewing with Developer mode enabled, I get the following error in Firefox:
SyntaxError: expected expression, got ‘<‘
In IE11, I get:
SCRIPT1002: Syntax error
File: taskFilter.jsp, Line: 770, Column: 9
Which leads to this:
770 An Error Occurred. Contact your System Administrator. — [MID-3193645048]
This error does not make it into the TRIRIGA error log… Any ideas?
We just upgraded our TRIRIGA platform to 3.4.2 in a Sandbox environment. It’s running a supported version of Java 1.7 on the server. While testing various features, I get a Contact System Admin error in the Object Finder section of Object Migration package builder tool. This is a piece of the error in the error log. Any ideas?
ERROR [com.tririga.platform.error.ErrorHandler](Default Executor-thread-57) Report handled exception: com.tririga.platform.error.PlatformRuntimeException: java.lang.ExceptionInInitializerError[MID-1447779642] com.tririga.platform.error.PlatformRuntimeException: java.lang.ExceptionInInitializerError at com.tririga.platform.om.domain.OMPackageImpl.getObjectFinderUtil(OMPackageImpl.java:655)
The current release of TRIRIGA includes Platform 3.4.2 and Application 10.4.2. This is a powerful release for a number of reasons… Here are some of the key values:
- We removed several Java applets minimizing the need for client configurations.
- We removed some Adobe vector graphics tooling that was in conflict with Microsoft security. Recent MS security patches were causing workflow builder to stop functioning correctly.
- We improved application security in the TRIRIGA platform in line with currently known security vulnerabilities — always a challenge in today’s technology.
- We added HTML5 functionality that supports a broad range of browsers (IE, Firefox, Chrome, Safari) instead of just IE9.
- We expanded the capabilities of straight line lease (in the 10.4.2 applications).
- We addressed a number of APARs (defects) identified in 3.4.1 and earlier releases…
[Admin: This post is related to the 06.18.15 post about TRIRIGA upgrades.]