Turn Off Tabs
Solutions Business Manager 11.7.1 Security Bulletin
This document contains important security information for SBM. This document is only available to registered customers who log in to the Support site. Last updated on 2020-03-26.


General Information

Internet applications are always vulnerable to attacks by various malicious users, abusive bots, and crawlers that can exploit weaknesses in the data security model to gain unauthorized access to important data. SBM is scanned for Web application security as part of the certification process upon each release, and it is thoroughly tested using the following assessments to validate the security of the enterprise data that is stored in the database.

  • Cross site scripting (XSS)
  • Access control weaknesses
  • OS and SQL injection flaws
  • Cross site request forgery (CSRF)
  • Cookie manipulation
  • Hidden field manipulation
  • Insecure storage
  • Insecure configuration

Any vulnerability that is detected during these tests can be exploited to gain access to sensitive enterprise data and ultimately lead to financial loss. Our development and quality assurance organizations endeavor to expose and resolve these types of potential vulnerabilities during each testing cycle. We take security seriously. We strive to aggressively enhance SBM to safeguard against any new vulnerabilities that are discovered.


The improvements described in this bulletin apply to SBM 11.7.1. To take advantage of these improvements and safeguard your system, consider upgrading to version SBM 11.7.1.

For detailed upgrade steps from earlier versions of SBM, refer to the SBM 11.7.1 release notes.

Minimum Security Configuration

Security vulnerabilities will only be reviewed and addressed (cases accepted) after SBM is configured with the following:

  • IIS with HTTPS enabled and HTTP disabled
  • Tomcat with HTTPS enabled and HTTP disabled
  • IIS and TOMCAT must use customer-supplied SSL certificates that you supply
  • Notification Server and Mail Client must use SSL
  • SSL legacy protocols are not enabled
  • SSO URLs are all HTTPS; no HTTP entries
  • Integrations must run with trusted certificates for SSO
  • All certificates in SBM must be regenerated in SBM Configurator or use additional customer-supplied certificates
  • No default certificates installed with SBM may be in use

Recommended Security Configuration

To configure recommended security settings for SBM, perform the following:

  • Replace the default certificates that are installed with SBM by generating new certificates in SBM Configurator. The steps that you perform to secure SBM with new certificates depend on how SBM is installed. For details, refer to “Securing SBM” in the SBM Installation and Configuration Guide or the SBM Configurator help.
  • On the SBM Application Engine server, set the Web Application Firewall filter level to Block on the Security | Secure SBM sub-tab in SBM Configurator.
  • On each SBM server in your installation:
    • Change SSO keystore passwords on the Security | Secure SSO sub-tab in SBM Configurator.
    • Encrypt SSO configuration files on the Security | Secure SSO sub-tab in SBM Configurator.
    • Enable HTTP secure response headers in the Security | Secure Response Headers sub-tab in SBM Configurator.
      • Enable all of the options that appear.
      • Ensure that anti-click jacking is enabled. For the Load page in frame option, select Allow from the same origin.
    • Disable HTTP and enable HTTPS for IIS and Tomcat. Obtain valid certificates from a well-known Certificate Authority.
  • Enable a secure password policy using the options in the Authentication | Password Restrictions sub-tab in SBM Configurator.
  • Configure restricted and allowed files types using the DisallowedFileExtensions and MaxFileObjSelections options the TS_SYSTEMSETTINGS table. This enables you to block or allow certain file types, as well as impose a restriction on the number of files that can be added to an item (the recommended limit is 10 files). For details, refer to S143109.


The following fixes and improvements were made in the SBM 11.7.1 release.

  • Added FIPS 140-2 Compliance (EPIC 105170)

    For systems that require compliance with the U.S. federal government security standard FIPS 140-2, you can now enable FIPS 140-2 compliance directly in SBM. This ensures that all encryption within SBM uses FIPS 140-2 certified encryption libraries and FIPS 140-2 certified algorithms.

  • Improved Encryption (EPIC 105170)

    All encryption performed by SBM was audited and improved to use stronger, more secure algorithms in both FIPS and non-FIPS modes.

  • XSS on Attach URL (DEF336098)

    Fixed a potential XSS vulnerability with the Attach URL item action.

  • XSS: Do Not Allow Opening Restricted File Attachments (DEF337165)

    Fixed a potential XSS vulnerability related to attached files on work items.

  • Access Privileges Issue in Application Repository (DEF336103)

    Fixed a potential security issue that enables a non-administrator to log in to Application Repository.

  • Session Management in Application Repository and commonsvc (DEF336103)

    A new session ID is generated upon successful authentication when SSO is disabled.

  • Information Disclosure in Theme Import (DEF336108)

    Removed the tempdirectory and tempdirectoryandfile parameters from the authentication error response when importing Work Center themes.

  • Global System Setting to Restrict Attachments (ENH338649)

    A DBA can modify the following new entries in the TS_SYSTEMSETTINGS table:
    • DisallowedFileExtensions – A comma-separated list of file extensions that are not valid at the system level. You can use the list to block or allow certain file types.
    • MaxFileObjSelections – Limits the total number of files that can be attached to an item via Add File or via a File Field.

    Refer to S143109 for help with modifying these settings in the database.

  • Encryption Algorithm Used in the Application Engine Database (DEF337364)

    The encryption algorithm that is used in the SBM Application Engine database was changed to AES256 in the following areas:

    • Certain rows in TS_SYSTEMSETTINGS, TS_SYSTEMSETTINGSNAMESPACED with lower(TS_NAME) in ('clientcertsslcallbackauthncertkeypassword','ldapadminpwd','mapipassword','smtpauthpassword','nsexchangepassword','mcexchangepassword')
    • Fields in primary and auxiliary tables that have the Password option checked

This release also addresses the following potential security vulnerabilities:

  • CVE-2019-18942 - Stored XSS
  • CVE-2019-18943 - XML External Entity processing
  • CVE-2019-18944 - Reflected XSS
  • CVE-2019-18945 - Privilege escalation
  • CVE-2019-18946 - Session fixation
  • CVE-2019-18947 - Information disclosure

Special thanks goes to Alessio Sergi of Verizon Business (Global Security Services) for responsibly disclosing these CVEs.

Legal Notice

© Copyright 2007–2020 Micro Focus or one of its affiliates.

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are as may be set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Except as specifically indicated otherwise, this document contains confidential information and a valid license is required for possession, use or copying. If this work is provided to the U.S. Government, consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed under vendor's standard commercial license.

Micro Focus encourages the customer to enable attachment extension filtering, which is not enabled by default by Micro Focus. By not implementing attachment extension filtering you may be exposing the system to increased security risks. You understand and agree to assume all associated risks and hold Micro Focus harmless for the same. It remains at all times the customer’s sole responsibility to assess its own regulatory and business requirements. Micro Focus does not represent or warrant that its products comply with any specific legal or regulatory standards applicable to the customer in conducting the customer's business.