IV96845: Ability to bypass security and use unauthorized functions


Testers found that they had the ability to add reports to the My Reports page in TRIRGA, even though the links for New, Copy, Delete, Copy as Community Report, and Share Report were not present for the read-only users.

Moving forward, an privilege escalation issue in Report Manager has been resolved.

[Admin: To see other related posts, use the Vulnerability tag or CVE tag.]

Continue reading

IV96795: User without access can add security via Admin Console


A user who has limited access to people records (such as an External Vendor Admin), and who should not have access to add/delete licenses and security groups, is able to add licenses and security groups to an external vendor by running a command in the TRIRIGA Admin Console.

Moving forward, a client-side vulnerability that could allow a user to escalate their privilege, has been resolved.

[Admin: To see other related posts, use the Vulnerability tag or CVE tag.]

Continue reading

Security: IBM TRIRIGA Application Platform vulnerabilities & fixes


[Updated 03.29.17]

For convenience, here are the some recent CVE IDs.

CVE ID Summary APAR
CVE-2016-9737 The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially leading to credentials disclosure within a trusted session.
CVE-2017-1153 The IBM TRIRIGA Report Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.
CVE-2017-1171 The IBM TRIRIGA Application Platform contains a vulnerability that could allow authenticated users to execute application actions to which they do not have access.
CVE-2017-1180 The IBM TRIRIGA Document Manager contains a vulnerability that could allow authenticated users to execute actions to which they do not have access.

[Admin: This post is related to the 05.17.16 post and the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Continue reading

IV93811: Privilege escalation vulnerability in project context


The project context can be set to a project where the user does not have Capital Project security access. A user cannot modify or update data inside the project when they do this. However, the TRIRIGA platform should prevent the setting of this context from ever occurring in the first place.

Users can set the project container through direct URL manipulation. Moving forward, the privilege escalation vulnerability has been resolved.

[Admin: This post is related to the 03.01.17 post about a privilege escalation vulnerability in the Report Manager, and the 02.13.17 post about the relationship between project context and security.]

Continue reading

IV93762: Privilege escalation vulnerability in Report Manager


The IBM TRIRIGA application is vulnerable to a privilege escalation vulnerability. Specifically, IBM TRIRIGA Report Manager contains a vulnerability that could allow an authenticated user to execute actions to which they should not have access.

Continue reading

How do you copy your Oracle DB schema for TRIRIGA Support?


To create a logical copy of your TRIRIGA database schema, use the Oracle data pump for exporting database dump files. More information can be found here in the Oracle Help Center. It is recommended to run these steps from your database server with a privileged database user, and to stop the TRIRIGA application beforehand.

(1) Create directory object in Oracle where you want to download the dump. Information on how to do this can be found here in the Oracle Help Center.

(2) Run the export command expdp as follows. Substitute the variables properly.

expdp <db_admin>/<admin_pw> DUMPFILE=<dpump_dir>:<filename>.dmp SCHEMAS=<schema_name> LOGFILE=<dpump_dir>:expschema.log

[Admin: The same article is also posted in the Watson IoT Support blog.]

Continue reading

IV85134: Inactive and active form actions do not look different


If a form action is inactive, or you do not have the security privileges to access the form, then the action appears as normal. In previous application versions, there was a different appearance to indicate that you could not click the action. However, with the new UI and change to the action view type on a form, this is no longer the case. It is therefore very misleading to a user that they are meant to click on the action, which will result in customer support tickets.

There is an issue with the font weight of actions. If the section navigation is not active, then the system sets the font weight to normal. Moving forward, the section action, if rendered as a button, will appear as not active when the action is inactive.

Continue reading