Skip to main content

Software  >  WebSphere  >  

Security: Possible security exposure where one might be able to see another's response data in certain scenarios (PK41446, PK42875 and PK46618)

 Flash (Alert)
 
Abstract
In some scenarios, after a closed connection error, the webcontainer may corrupt a buffer being used to send a response allowing one to be able to see another's response data as part of a response to a request.
 
Content
Versions affected:
All IBM® WebSphere® Application Server versions 6.0 through 6.1.0.7 for Distributed, versions 6.0 through 6.0.2.17 and 6.0.2.19 for i5/OS, and versions 6.0 through 6.1.0.8 for z/OS.
This problem does not occur in versions 4.0, 5.0, 5.1, 6.0.2.20 and later, and 6.1.0.9 and later.

Problem Description:
In some scenarios, data intended to be part of a response to a first request is added to the response of a second request. This only occurs when a request is cancelled whilst the webcontainer is building a response for the request, and depending on timing.

Three (3) scenarios are possible:
  1. Things clean-up correctly and no problem occurs. This is the most likely outcome.
  2. Some response data of the cancelled request is added to the response of a subsequent request.
  3. Some response data for a first subsequent request is added to the response of a different subsequent request.

As an example of the symptoms, a customer may see response data of another customer as part of a response to a request. At approximately the same time as the problem is observed, a closed connection FFDC log would be created. The FFDC event occurs when a request is terminated by a client whilst the webcontainer is in the process of loading a response for the request into memory.

Solutions:
Applying APAR PK41446 removes the possibility of the last two scenarios (previously mentioned) occurring as a result of the cancelling of a request. It also includes code to check whether or not response data buffer corruption occurs in the webcontainer and if it does, the request is terminated.

Although for releases after V6.0.2.15 and V6.1.0.2, the likelihood of scenario 2 (previously mentioned) occurring is significantly reduced, and the possibility of the scenario 3 (previously mentioned) occurring is eliminated.

For IBM WebSphere Application Server for Distributed:
For IBM WebSphere Application Server for i5/OS:
    For V6.0 through 6.0.2.17:
    For V6.0.2.19:
    • If you obtained and installed the original Fix Pack 19 (V6.0.2.19), dated prior to May 30, 2007, you must apply interim fix APAR PK41446
    • If you obtained and installed the refreshed Fix Pack 19 (V6.0.2.19), dated May 30, 2007 or later, no additional steps are necessary. The refresh Fix Pack 19 contains the fix for PK41446.

    Note for V6.0.2.19: If you have already installed Fix Pack 19 (V6.0.2.19) for i5/OS, you may determine which version you have installed by viewing the file install_root/properties/version/os400.java.component.
    • If the build-version value is 'cf190717.15", you have the original Fix Pack 19 (V6.0.2.19) (dated prior to May 30, 2007)
    • If the build-version value is not 'cf190717.15", you have the refreshed Fix Pack 19 (V6.0.2.19) (dated May 30, 2007 or later).

    For V6.1:

For IBM WebSphere Application Server for z/OS:

For additional details and information on WebSphere Application Server product updates:
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application ServersRuntimes for Java TechnologyJava SDK
Application ServersWebSphere Application Server - Express AIX, HP-UX, i5/OS, Linux, Linux pSeries, Linux Red Hat - pSeries, Linux Red Hat - zSeries, Linux zSeries, OS/400, Solaris, Windows6.1.0.7, 6.1.0.5, 6.1.0.3, 6.1.0.2, 6.1.0.1, 6.1, 6.0.2.9, 6.0.2.7, 6.0.2.5, 6.0.2.3, 6.0.2.2, 6.0.2.19, 6.0.2.17, 6.0.2.15, 6.0.2.13, 6.0.2.11, 6.0.2.1, 6.0.2, 6.0.1.2, 6.0.1, 6.0.0.3, 6.0.0.2, 6.0All Editions
Application ServersWebSphere Application Server for z/OSGeneralOS/390, z/OS6.1.0.6, 6.1.0.5, 6.1.0.4, 6.1.0.3, 6.1.0.2, 6.1.0.1, 6.1, 6.0.2, 6.0.1, 6.0All Editions
Application ServersWebSphere Application Server for z/OS z/OS6.1, 6.0
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere Application Server
 General
 Operating system(s):
  AIX, HP-UX, IBM i, Linux, Solaris, Windows
 Software version:
  6.0, 6.0.0.2, 6.0.0.3, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.3, 6.0.2.4, 6.0.2.5, 6.0.2.6, 6.0.2.7, 6.0.2.8, 6.0.2.9, 6.0.2.11, 6.0.2.13, 6.0.2.15, 6.0.2.17, 6.0.2.19, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.5, 6.1.0.7
 Software edition:
  Base, Developer, Express, Network Deployment
 Reference #:
  1266069
 IBM Group:
 Software Group
 Modified date:
 2007-08-06

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.