Security Fix Required: Access problems with BasicAuthTAI in WebSphere Portal

Flash (Alert)


Abstract

IBM has identified a serious vulnerability in IBM WebSphere Portal in an authentication component that makes it possible for remote attackers over the network to bypass normal WebSphere Portal server security. Through this attack, an intruder might be able to execute administrative commands without proper authority.

Content

** Note: This is a republish of an older flash. It does not affect WebSphere Portal 6.1.0.1 or later releases. **

Cause
The Authentication code of WebSphere Portal can be bypassed under certain circumstances and grant access to an administrative account without knowledge of the credentials of this account.


Solution

This issue was reported to IBM Remote Technical Support and is corrected in the following releases:

Customers on versions 6.0.1, 6.0.1.1 ,6.0.1.3, 6.0.1.4 and 6.0.1.5 must apply the fix for APAR PK75304.
Customers on version 6.1.0.0 (6.1) on non-z/OS platforms must also apply the fix for APAR PK75304.

Versions not listed above are not affected by this issue, or already have the fix integrated.



    Cross reference information
    Segment Product Component Platform Version Edition
    Enterprise Content Management Workplace Web Content Management Portal Integration AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 6.0.1.5, 6.0.1.4, 6.0.1.3, 6.0.1.2, 6.0.1.1, 6.0.1 Java edition
    Enterprise Content Management IBM Web Content Manager Portal Integration AIX, HP-UX, i5/OS, Linux, Solaris, Windows 6.1 Java edition
    Organizational Productivity- Portals & Collaboration Lotus Quickr Security Linux, Windows 8.1.1, 8.1, 8.0.0.2, 8.0 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Portal
Security

Software version:

6.0.1, 6.0.1.0, 6.0.1.1, 6.0.1.3, 6.0.1.4, 6.0.1.5, 6.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:

Enable, Express, Extend, Server

Reference #:

1369956

Modified date:

2009-02-04

Translate my page

Machine Translation

Content navigation