Skip to main content

Software  >  WebSphere  >  

Possible security exposure with serveServletsByClassnameEnabled (PK52059) on IBM WebSphere Application Server V6.0 and V6.1.

 Flash (Alert)
 
Abstract
Possible security exposure with serveServletsByClassnameEnabled (PK52059) on IBM WebSphere Application Server. On versions 6.0 and 6.1, there is a possible security exposure with the serveServletsByClassnameEnabled feature which is available to be set at the application level, but by default is set to true.
 
Content
Versions affected:
IBM® WebSphere® Application Server versions 6.1.0.9 through 6.1.0.13, 6.1.0.2 through 6.1.0.7, 6.1 through 6.1.0.1, 6.0.2.25, 6.0.2.13 through 6.0.2.23, 6.0.2.9 through 6.0.2.11, 6.0.2.5 through 6.0.2.7,
6.0.2 through 6.0.2.3, 6.0.1 through 6.0.1.2, and 6.0 through 6.0.0.3 for Distributed; 6.1 through 6.1.0.14, 6.0.2.13 through 6.0.2.23, and 6.0.2 through 6.0.2.12 for i5/OS; and 6.1 through 6.1.0.14, and 6.0.2 through 6.0.2.25 for z/OS.
The security exposure does not occur on versions 4.0, 5.0, and 5.1* (see *Note below).

Problem Description:
On versions 6.0 and 6.1, there is a possible security exposure with the serveServletsByClassnameEnabled feature which is available to be set at the application level, but by default is set to true.

serveServletsByClassnameEnabled is used to allow a servlet to be served via a URI by it class package and class name. This feature is very useful during early development, however IBM does not recommend its use in a production setting. This is because a URI pattern which reveals both the fact that your Internet application is a Java Servlet and its Java Class name is basically making public more information than is required. For example, this information may be used by an unwanted intruder who is looking for ways to perform malicious acts on your site.

The defect is that if serveServletsByClassnameEnabled is not explicitly set to false in the deployment information of an application, the default setting of true is used. This policy exposes applications to the vulnerabilities just discussed by default.

Problem Conclusion:
The default setting of serveServletsByClassnameEnabled has been changed to false so that, by default, the deployment descriptor of an application must define a servlet mapping for each servlet class to be served by the application. This closes the vulnerability discussed. However, this change in behavior may result in potential unexpected behavior changes for your applications.

Further, given that serveServletsByClassnameEnabled is set at the application layer and that many existing applications may not have properly set this property (either leaving it unset or setting it to true inappropriately), this APAR has introduced two new properties to allow administrators to override the application settings:
  • Property Name: com.ibm.ws.webcontainer.disallowserveservletsbyclassname
      Description: If set to true, disallows the use of serveServletsByClassnameEnabled at the application server level, overriding any setting of serveServletsByClassnameEnabled at the application level. This property affects all applications.
      Values: true/false(default)
  • Property Name: com.ibm.ws.webcontainer.donotservebyclassname
      Description: A semi-colon delimited list of classes to be disallowed from being served by class name. This property affects all applications for which serveServletsByClassnameEnabled is set to true. It essentially prevents certain classes from being served by classname even though the feature is enabled. This property is ignored if the previous is set to true.
      Values: String, such as com.ibm.BlckedClass1;com.ibm.BlckedClass2;com.ibm.BlckedClass3

Please refer to the following technote for instructions on enabling WebContainer custom properties:
http://www.ibm.com/support/docview.wss?rss=180&uid=swg21284395

Solution:
Applying APAR PK52059, or a Fix Pack containing this APAR, resolves this issue.

Note: After applying this APAR iFix, to enable the serving of servlets by class name, the new custom property, com.ibm.ws.webcontainer.disallowserveservletsbyclassname, must be set to false(default) and serveServletsByClassnameEnabled must be enabled for the application which provides the classes to be served.

*Note: With 5.1, 5.0 and 4.0 the default setting of serveServletsByClassnameEnabled is false. As a result, this is not considered to be a security integrity issue for these versions.

For IBM WebSphere Application Server for Distributed:
    For V6.1.0.9 through 6.1.0.13,
    For V6.1.0.2 through 6.1.0.7, and
    For V6.1 through 6.1.0.1:
    • Apply interim fix APAR PK52059 or Apply Fix Pack 15 (6.1.0.15 has an estimated release date of 4 March 2008), or later.

    For V6.0.2.25:
    • Apply interim fix APAR PK52059 or Apply Fix Pack 27 (6.0.2.27 has an estimated release date of 14 April 2008), or later.

    For V6.0.2.13 through 6.0.2.23:
    • Apply prereq interim fix APAR PK54499 then Apply interim fix APAR PK52059
      • or
    • Apply Fix Pack 27 (6.0.2.27 has an estimated release date of 14 April 2008), or later.

    For V6.0.2.9 through 6.0.2.11,
    For V6.0.2.5 through 6.0.2.7,
    For V6.0.2 through 6.0.2.3,
    For V6.0.1 through 6.0.1.2, and
    For V6.0 through 6.0.0.3:
    • Apply interim fix APAR PK52059 or Apply Fix Pack 27 (6.0.2.27 has an estimated release date of 14 April 2008), or later.

For IBM WebSphere Application Server for i5/OS:
    For V6.1 through 6.1.0.14:
    For V6.0.2.13 through 6.0.2.23:
    • Apply prereq interim fix APAR PK54499 then Apply interim fix APAR PK52059
      • or
    • Apply Fix Pack 27 (6.0.2.27), or later.

    For V6.0.2 through 6.0.2.12:

For IBM WebSphere Application Server for z/OS:
    For V6.1 through 6.1.0.14:
    • Apply APAR PK52059 / PK61188 via PTFs for 6.1.0.15, or later.

    For V6.0.2 through 6.0.2.25:
    • Apply APAR PK52059 / PK60946 via PTFs for 6.0.2.27, or later.


Additional documentation:
For additional details and information on WebSphere Application Server product updates:
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application ServersWebSphere Application Server for z/OSServlet Engine/Web Containerz/OS6.1, 6.0.2
Application ServersWebSphere Application Server - ExpressNot ApplicableAIX, HP-UX, i5/OS, IBM i, Linux, Solaris, Windows6.1, 6.0.2All Editions
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere Application Server - Express
 Operating system(s):
  AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS
 Software version:
  6.0.2, 6.1
 Software edition:
  Base, Developer, Enterprise, Express, Network Deployment
 Reference #:
  1288860
 IBM Group:
 Software Group
 Modified date:
 2008-02-01

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.