| | | Abstract | | With IBM WebSphere Application Server, the use of specific characters in JSP URLs might expose JavaServer Pages (JSP) source code rather than the JSP page. With these APAR fixes, an error code or the formatted output, as appropriate, will properly be displayed instead. | | | | | | Content | A possible security exposure has been identified in Application Server in which, based on 4 different configurations, raw JSP source content may be served to a browser. The configurations are as follows:
- Serving a JSP from an Application WAR. Access is possible to a JSP file which is stored under the application war directory when fileServingEnabled is set to true in the ibm.web.ext.xmi file.
- Serving a JSP from an Extended Document Root. Access is possible to a JSP file from an extendedDocumentRoot directory when fileServingEnabled is set to true in the ibm.web.ext.xmi file.
- Serving a JSP from an Application WAR with servlet caching enabled. Same as the first scenario, but with servlet caching enabled and with a caching policy which uses the com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class for servlet caching.
- Serving a JSP from an Extended Document Root with Servlet Caching enabled. Same as the second scenario, but with servlet caching enabled and with a caching policy which uses the com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class for servlet caching.
This document addresses these four identified configurations only. For example, if servlet caching is enabled and a different class from com.ibm.ws.webcontainer.servlet.SimpleFileServlet.class is used for servlet caching, it may be possible for such a different class to cause an exposure.
If any of these methods are used, a fix may or may not be required depending on the method enabled, and the level of WebSphere Application Server and operating system in use. Details of the APARs required are included below. Note that after any required APAR(s) is applied, the browser will either display an error code or it will display the properly formatted output, whichever is the appropriate response.
For WebSphere Application Server for Distributed Platforms:
For V6.1.0.2 through 6.1.0.3 (for Microsoft Windows only):
If servlet caching is enabled as previously described:
For V6.1 through 6.1.0.1: - For Microsoft Windows only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
For V6.0.2.13 through 6.0.2.15 (for Microsoft Windows Only):
If servlet caching is enabled as previously described:
For V6.0.2.5 to 6.0.2.11: - For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
For V6.0.2.3: - For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If servlet caching is enabled as previously described:
Otherwise:
|
For V6.0.2 through 6.0.2.1: - For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
Otherwise:
For V6.0.0.2 through 6.0.1.2: - For Microsoft Windows Only:
If servlet caching is enabled as previously described:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
Otherwise:
For V6.0.0.1: - For Microsoft Windows Only:
If servlet caching is enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
Otherwise:
For V5.1.1.11:
If serving files from an Extended Document Root without servlet caching enabled or with servlet caching enabled as previously described:
For V5.1.1.9 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
For V 5.1.1.4 through 5.1.1.10 (for IBM AIX, Linux, Solaris, HP-UX) and V5.1.1.4 through 5.1.1.8 and 5.1.1.10 (for Microsoft Windows):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
For V5.1.1.3:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
For V5.1.0.2 through 5.1.1.2: - For Microsoft Windows only:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
For V5.1 through 5.1.0.1:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
For V5.0.2.18: - Apply Interim Fix APAR PK43894
For V5.0.2.10 to 5.0.2.17: For V5.0.2.8 to 5.0.2.9 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
For V5.0.2.5 to 5.0.2.7 (for Microsoft Windows only):
For V5.0.2.2 to 5.0.2.4 (for Microsoft Windows only):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
- Apply either Interim Fix APAR PK23475 or Interim Fix APAR PQ91033
For V5.0.2.2 to 5.0.2.9 (for IBM AIX, Linux, Solaris, HP-UX):
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
For V5.0.2 to 5.0.2.1 :
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
- Apply either Interim Fix APAR PK23475 or Interim Fix APAR PQ91033
For V5.0.1: - For Microsoft Windows only:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
- Apply either Interim Fix APAR PK23475 or Interim Fix APAR PQ91033
For V5.0: - For Microsoft Windows only:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
- For IBM AIX, Linux, Solaris, HP-UX:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
For V4.0.5 through 4.0.7:
If serving files from an Extended Document Root without servlet caching enabled or with service caching enabled as previously described:
Otherwise:
- Apply Interim Fix APAR PK24173
For V4.0.3 through 4.0.4:
Upgrade to V4.0.5, or later, available from Recommended Fixes for WebSphere Application Server and then follow the instructions previously described, for the new upgraded level.
Back to top
For IBM WebSphere Application Server for z/OS platforms:
For V6.1.0.2 through 6.1.0.4: - Apply APAR PK36741 (PK32374), for Fix Pack 5 (V6.1.0.5), or later.
- 6.1.0.5 PTFs are UK20982, UK21009, UK21015, UK21016, UK21017, and UK21027.
For V6.0.2.13 through 6.0.2.16: - Apply APAR PK35633 (PK32374), for Fix Pack 17 (V6.0.2.17), or later.
- 6.0.2.17 PTFs are UK20459, UK20460, and UK20461.
For V5.1 prior to W510236: - Apply APAR PK27728 (PTF UK16713) for service level W510236, or later.
For V5.0 prior to W502042: - Apply APAR PK27727 (PTF UK17760) for service level W502042, or later.
Back to top
For IBM WebSphere Application Server for iSeries, i5/OS, and OS/400 platforms:
For V6.1 through 6.1.0.1: - Apply Interim Fix APAR PK23475
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
For V6.0.2.5 to 6.0.2.11: - Apply Interim Fix APAR PK23475
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
For V6.0.2.3:
If servlet caching is enabled as previously described:
- Apply Interim Fix APAR PK32374
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
Otherwise:
- Apply Interim Fix APAR PK23475
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
For V6.0.2 through 6.0.2.1:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
- Apply Interim Fix APAR PK23475
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
Otherwise:
- Apply either Interim Fix APAR PK23475 or Interim Fix APAR PK22928
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
For V6.0.0.2 through 6.0.1.2:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
- Apply Interim Fix APAR PK23475
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
Otherwise:
- Apply either Interim Fix APAR PK23475 or Interim Fix APAR PK22928
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
For V6.0.0.1:
If serving files from an Extended Document Root without servlet caching enabled as previously described:
- Apply Interim Fix APAR PK23475
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
Otherwise:
- Apply either Interim Fix APAR PK23475 or Interim Fix APAR PK22928
--Or-- - Apply the current WebSphere Application Server group PTF and install the Fix Pack according to the group PTF instructions.
For V5.0 and V5.1: - Apply the current WebSphere Application Server group PTF.
Back to top |
| May 2009 | Removed link to PK43894. Contact Support. | | August 2007 | Changed "For V5.0.2.10 to 5.0.2.18:
Apply APAR PK23475" to "For V5.0.2.18:
Apply APAR PK43894. For V5.0.2.10 to 5.0.2.17: Apply APAR PK23475". (Added APAR PK43894 for release 5.0.2.18 only.)
Added 'change history' table. | | March 2007 | Changed "5.0.2 to 5.0.2.2" to "V5.0.2.2 to 5.0.2.4" and added "For V5.0.2 to 5.0.2.1: If serving files from an extended document root without servlet cashing enables or with service caching enavled as previously described: Apply APAR PK23475 Otherwise: Apply either APAR PK23475 or APAR PQ91033". | | August 2006 | Created and published JSP Security Exposure Flash for WebSphere Application Server. | | | | | |
