The Open Group Open Management Infrastructure (OMI)
"CIM/WBEM Manageability Services Broker"
You are here:  > OMI > Documents > OMI Source Patch - v.1.0.7.a
Title: OMI Source Patch - v.1.0.7.a
Version: 1.0.7.a

Table of Contents

1. How to apply this update.
2. Summary of issues
3. Detailed description


1. How to apply this update.

There are two diff files in this package. They must be applied separately to fix the issues below. Order of applying the fix is not important.
     # cd <root of the source of OMI 1.0.7>
     # patch –p0 < Security_Bug_1.0.7.a.diff
     # patch –p0 < Functionality_Bugs_1.0.7.a.diff


2. Summary of issues

This OMI patch release (named - 1.0.7.a) fixes following three issue in OMI release 1.0.7

  i. Security issue in OMI allowing remote user to execute with elevated privileges.
 
 ii. The Invoke method fails on a Method with Embedded Instance as a parameter if the Key values are not specified in the embedded instance.
 
iii. OMI server does not return namespace of MI instances.
 

3. Detailed description of each bug

  i. Security issue in OMI allowing remote user to execute with elevated privileges.
     Severity: Important
     Problem: This patch fixes a security issue in OMI, which may lead to escalation of privilege for authenticated users in some cases. OMI always authenticates users by default, so anonymous user would not be able to exploit this issue.
This security fix must be applied to OMI to prevent authenticated users from getting elevated privileges.
Not having this fix may potentially lead to remote authenticated user gaining root access to the system.

 ii. The Invoke method fails on a Method with Embedded Instance as a parameter if the Key values are not specified in the embedded instance.
     Severity: Important
     Problem: If an method take embedded instance as input parameter and key property value are not specified in the parameter, then the invocation to the method would fail. This is due to omiserver check that parameters of EmbeddedInstance type has to have valid (non-null) key property value.
     This is an important fix. Not having this fix may prevent the clients from executing methods that have embedded instance.

iii. OMI server does not return namespace of MI instances
     Severity: Important
     Problem: If there are two classes registered in separate namespaces with an association defined in between, OMI server fails to include the namespace in response to association query. Provider will be able to post associated instance, but the server does not generate selector element as of result message even if the associated instance has namespace set. This will cause the client to get result instance(s) without namespace.


For further information, please contact ottoh@microsoft.com

<End>

Attachments: gz omi-patch.1.0.7.a.tar.gz  
Created by: o.helweg on 10-May-13
If you experience any problems with broken links, or incorrect or unexpected functionality, click here to request help.
   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page
  PHPlato: 2.0 (680) [p]