Security leak on objects with an individual access definition

Last update: 4 August 2017

Security leak on objects with an individual access definition

Summary

A security problem was found in using the Access Definition for individual access ( Zugriffsdefinition für den individuellen Zugriff ) or one of the ACLs for individual access: The property Groups Participating in Workflow is incorrectly updated, giving rights to users not directly involved in a workflow.

This access definition and ACLs are mostly used in the Fabasoft eGov-Suite AUT, but are available in all Fabasoft eGov-Suite editions. It depends on your solution whether this access definition or ACLs are actually used. Fabasoft Folio is not affected. For detailed information on affected versions refer to the Applies to section.

Information

When Add New Activities ( Vorschreiben ) is performed on an object with the Access Definition for individual access ( Zugriffsdefinition für den individuellen Zugriff ) or one of the ACLs for individual access to assign a process to a user, the group of the user is added to the Groups Participating in Workflow .

Thereby all users in this group gain access to the information contained in the object even though only the user named in the process should be given access.

Solution

A hotfix is available for all supported versions of the Fabasoft eGov-Suite and will be provided via our Support team. Please contact Fabasoft Support (or respectively your TAM contact) if you are interested in this hotfix.

Applies to:

  • Fabasoft eGov-Suite 2012
  • Fabasoft eGov-Suite 2012 SP1
  • Fabasoft eGov-Suite 2013
  • Fabasoft eGov-Suite 2013 Update Rollup 1
  • Fabasoft eGov-Suite 2014 Update Rollup 1

when using: Access Definition for individual access ( Zugriffsdefinition für den individuellen Zugriff ) or one of the ACLs for individual access

Hotfix available for:
  • Fabasoft eGov-Suite 2012
  • Fabasoft eGov-Suite 2012 SP1
  • Fabasoft eGov-Suite 2013
  • Fabasoft eGov-Suite 2013 Update Rollup 1
  • Fabasoft eGov-Suite 2014 Update Rollup 1
Fix included in:
  • Fabasoft eGov-Suite 2013 Update Rollup 2
  • Fabasoft eGov-Suite 2014 Update Rollup 2

Further questions?