NOTE: This message is cross-posted because it affects users of the following webMethods software:
- webMethods Broker 6.0 webMethods Enterprise 4.x 5.x webMethods ActiveWorks 3.x, 4.x Active Software ActiveWorks 3.x
webMethods released a security bulletin today for the above software.
The security bulletin reveals that subscriptions to wildcard Document Types bypass Client Group-level access checks.
This means that any client of the Broker is able to “see” documents that may contain unauthorized data.
If the Broker does not requires Client Authentication, however, this point becomes moot – clients are self-assigned and can, therefore, subscribe to any document anyway.
There is no workaround, but a software patch is available. Contact webMethods Technical Services for more information.
I recommend that each of you subscribe to webMethods security bulletins via email. Send a note to email@example.com with the word “Subscribe” in the body of the message to sign up.
Advantage users can also visit the webMethods Security Bulletin Web page.