Global Security Forum

------------------------------
Amogh Blue
------------------------------

An update.

The attribute does not have to be multi-valued. So the conditions to reproduce are: 1) attribute has unicode characters and 2) substring is used. The role filters can be simplified:

------------------------------
Amogh Blue
------------------------------

Original Message:
Sent: Tue August 15, 2023 03:04 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:

1. Clean ISIM 6.0.2.4

2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.

For example:

"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"

"Test role 2" with filter "(title=superhero)"

 

When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.

A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.

 

Only modifyind the role itself does include the user into that role.

Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.

 

As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.

------------------------------
Amogh Blue
------------------------------

Hi,

It looks like to be target of a support incident, nevertheless the version 6.X is out of support, then you will be to migrate a validate the behaviour in version 10.X

------------------------------
Felipe Risalde Serrano
Security Expert
Banco de España
------------------------------

Original Message:
Sent: Wed August 16, 2023 07:28 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

An update.

The attribute does not have to be multi-valued. So the conditions to reproduce are: 1) attribute has unicode characters and 2) substring is used. The role filters can be simplified:

"Test role 1" with filter "(preferredLanguage=Ўзб*)"

"Test role 2" with filter "(preferredLanguage=Ўзбек)"

------------------------------
Amogh Blue

Original Message:
Sent: Tue August 15, 2023 03:04 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:

1. Clean ISIM 6.0.2.4

2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.

For example:

"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"

"Test role 2" with filter "(title=superhero)"

 

When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.

A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.

 

Only modifyind the role itself does include the user into that role.

Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.

 

As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.

------------------------------
Amogh Blue
------------------------------

An update 2.

According to Felipe Risalde Serrano's suggestion, tested the described behaviour in latest ISIM (ISVG IM) 10.0.1.5.
The bug remains there as well (moreover, design forms and change operations servlet bugs added).

------------------------------
Amogh Blue
------------------------------

Original Message:
Sent: Tue August 15, 2023 03:04 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:

1. Clean ISIM 6.0.2.4

2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.

For example:

"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"

"Test role 2" with filter "(title=superhero)"

 

When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.

A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.

 

Only modifyind the role itself does include the user into that role.

Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.

 

As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.

------------------------------
Amogh Blue
------------------------------

You need to raise a case to get this reported - this is not an official support forum - just a place where informal help is given on best effort basis.

I wondering if this is a local issue as I would have expected that this was found by many users. Can you check what code page your ldap server is running - it is in <instance>/etc/ibmslapd.conf  in the ibm-slapdSetenv: DB2CODEPAGE=1208 setting

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Mon February 26, 2024 11:06 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

An update 2.

According to Felipe Risalde Serrano's suggestion, tested the described behaviour in latest ISIM (ISVG IM) 10.0.1.5.
The bug remains there as well (moreover, design forms and change operations servlet bugs added).

------------------------------
Amogh Blue

Original Message:
Sent: Tue August 15, 2023 03:04 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:

1. Clean ISIM 6.0.2.4

2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.

For example:

"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"

"Test role 2" with filter "(title=superhero)"

 

When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.

A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.

 

Only modifyind the role itself does include the user into that role.

Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.

 

As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.

------------------------------
Amogh Blue
------------------------------

Hello! Thank you for your reply!

Unfortunately, I do not have access to any technical support plans, as this is just a student account. All I can do is to highlight the problems found, so IBM could notice and check them.

As for ibmslapd.conf - the value is exact the same: "ibm-slapdSetenv: DB2CODEPAGE=1208".

------------------------------
Amogh Blue
------------------------------

Original Message:
Sent: Tue February 27, 2024 04:43 AM
From: Franz Wolfhagen
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

You need to raise a case to get this reported - this is not an official support forum - just a place where informal help is given on best effort basis.

I wondering if this is a local issue as I would have expected that this was found by many users. Can you check what code page your ldap server is running - it is in <instance>/etc/ibmslapd.conf  in the ibm-slapdSetenv: DB2CODEPAGE=1208 setting

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 26, 2024 11:06 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

An update 2.

According to Felipe Risalde Serrano's suggestion, tested the described behaviour in latest ISIM (ISVG IM) 10.0.1.5.
The bug remains there as well (moreover, design forms and change operations servlet bugs added).

------------------------------
Amogh Blue

Original Message:
Sent: Tue August 15, 2023 03:04 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:

1. Clean ISIM 6.0.2.4

2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.

For example:

"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"

"Test role 2" with filter "(title=superhero)"

 

When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.

A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.

 

Only modifyind the role itself does include the user into that role.

Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.

 

As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.

------------------------------
Amogh Blue
------------------------------

Sorry - but that is not how a commercial product works - bugs needs to reported through a case so that it can be determined whether this is a product issue or a customer deployment issue.

And this very forum is trying to help you on our own time and effort - so your expectations are simply wrong.

But your codepage setting seems correct - but there can be a lot of reasons this fails.

My suggestion is that you try to use the IBM ldapsearch client (is part of the ISDS server and see what it returns if you perform the searches directly on the ldap. This may give a hint whether this is an ISIM problem or a problem in the underlying ldap or a problem of storing the unicode characters correctly in the filter.

HTH 

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs
------------------------------

Original Message:
Sent: Tue May 07, 2024 08:15 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Thank you for your reply!

Unfortunately, I do not have access to any technical support plans, as this is just a student account. All I can do is to highlight the problems found, so IBM could notice and check them.

As for ibmslapd.conf - the value is exact the same: "ibm-slapdSetenv: DB2CODEPAGE=1208".

------------------------------
Amogh Blue

Original Message:
Sent: Tue February 27, 2024 04:43 AM
From: Franz Wolfhagen
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

You need to raise a case to get this reported - this is not an official support forum - just a place where informal help is given on best effort basis.

I wondering if this is a local issue as I would have expected that this was found by many users. Can you check what code page your ldap server is running - it is in <instance>/etc/ibmslapd.conf  in the ibm-slapdSetenv: DB2CODEPAGE=1208 setting

HTH

------------------------------
Franz Wolfhagen
WW IAM Solution Engineer - Certified Consulting IT Specialist
IBM Security Expert Labs

Original Message:
Sent: Mon February 26, 2024 11:06 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

An update 2.

According to Felipe Risalde Serrano's suggestion, tested the described behaviour in latest ISIM (ISVG IM) 10.0.1.5.
The bug remains there as well (moreover, design forms and change operations servlet bugs added).

------------------------------
Amogh Blue

Original Message:
Sent: Tue August 15, 2023 03:04 AM
From: Amogh Blue
Subject: Ibm security identity manager v6.0.2 Dynamic roles bug

Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:

1. Clean ISIM 6.0.2.4

2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.

For example:

"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"

"Test role 2" with filter "(title=superhero)"

 

When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.

A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.

 

Only modifyind the role itself does include the user into that role.

Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.

 

As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.

------------------------------
Amogh Blue
------------------------------