Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 06.15.16 to add CVE-2016-2883 (2).]

[Updated 06.10.16 to add CVE-2016-2882.]

[Updated 05.31.16 to add CVE-2016-2883 (1).]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-0362 The IBM TRIRIGA Application Platform allows remote attackers to use one of its web services as a proxy to forward HTTP requests to other internal/external web resources.
CVE-2016-0374 The IBM TRIRIGA Application Platform builder tools are vulnerable to a privilege escalation attack that can result in a user without access having the ability to modify TRIRIGA Applications.
CVE-2016-0386 The IBM TRIRIGA Application Platform is vulnerable to cross-site request forgery (CSRF), caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious website, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting (XSS) attacks, web cache poisoning, and other malicious activities.
CVE-2016-0387 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVE-2016-2882 The IBM TRIRIGA Application Platform could disclose some sensitive server information through URL request responses that could aid an attacker in further attacks against the system.
(1) CVE-2016-2883

(2) CVE-2016-2883

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

IV83296: Privilege escalation vulnerability in builder tools


The TRIRIGA user is able to view or modify resources, and perform functions that they have not been authorized to, at various points throughout the application.

Steps to replicate:

  • 1. Login to the application with a user who has access to Workflow Builder.
  • 2. Navigate to edit a workflow. Copy the URL.
  • 3. Login with a user who does NOT have access to Workflow Builder.
  • 4. Adjust the security token in the copied URL and access the Workflow Builder with a non-authorized user.

In review of the failed pen test (penetration test), it seems this issue also exists for Reports (resolved), Lists, Globalization Manager, Currency Conversion, Portal Builder, and the UX Designers.

The TRIRIGA builder tools are vulnerable to privilege escalation. Moving forward, we fixed a privilege escalation vulnerability within the builder tools.

Continue reading

Having an issue with the Query task in the Workflow Builder


When loading or building a Query Task in the Workflow Builder, a blank window appears and fails to load the dialog. This only seems to occur with query tasks, and does not occur with field mapping, extended formulas, or similar windows within the builder tool set. When viewing with Developer mode enabled, I get the following error in Firefox:

SyntaxError: expected expression, got ‘<‘

In IE11, I get:

SCRIPT1002: Syntax error
File: taskFilter.jsp, Line: 770, Column: 9

Which leads to this:

770 An Error Occurred. Contact your System Administrator. — [MID-3193645048]

This error does not make it into the TRIRIGA error log… Any ideas?

Continue reading

Getting an error in the object migration object finder


We just upgraded our TRIRIGA platform to 3.4.2 in a Sandbox environment. It’s running a supported version of Java 1.7 on the server. While testing various features, I get a Contact System Admin error in the Object Finder section of Object Migration package builder tool. This is a piece of the error in the error log. Any ideas?

ERROR [com.tririga.platform.error.ErrorHandler](Default Executor-thread-57) Report handled exception: com.tririga.platform.error.PlatformRuntimeException: java.lang.ExceptionInInitializerError[MID-1447779642] com.tririga.platform.error.PlatformRuntimeException: java.lang.ExceptionInInitializerError at com.tririga.platform.om.domain.OMPackageImpl.getObjectFinderUtil(OMPackageImpl.java:655)

Continue reading 

Why upgrade to TRIRIGA Platform 3.4.2 and Application 10.4.2?


The current release of TRIRIGA includes Platform 3.4.2 and Application 10.4.2. This is a powerful release for a number of reasons… Here are some of the key values:

  • We removed several Java applets minimizing the need for client configurations.
  • We removed some Adobe vector graphics tooling that was in conflict with Microsoft security. Recent MS security patches were causing workflow builder to stop functioning correctly.
  • We improved application security in the TRIRIGA platform in line with currently known security vulnerabilities — always a challenge in today’s technology.
  • We added HTML5 functionality that supports a broad range of browsers (IE, Firefox, Chrome, Safari) instead of just IE9.
  • We expanded the capabilities of straight line lease (in the 10.4.2 applications).
  • We addressed a number of APARs (defects) identified in 3.4.1 and earlier releases…

[Admin: This post is related to the 06.18.15 post about TRIRIGA upgrades.]

Continue reading