IC85748: Authorization for administrative operations is not enforced.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Any user who can authenticate to a WebSphere DataPower XC10
    Appliance collective can perform administrative operations
    using the xscmd command.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Administrators of the WebSphere DataPower   *
    *                  XC10 Appliance.                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The appliance does not enforce          *
    *                      permissions checking by roles for       *
    *                      administrative operations run by        *
    *                      xscmd or other JMX tools.               *
    ****************************************************************
    * RECOMMENDATION:  Install a firmware release that contains    *
    *                  this APAR.                                  *
    ****************************************************************
    Any authenticated user can perform any JMX operation.  As a
    result, some administration operations might be performed by an
    authenticated user who does not belong to the administrative
    role. The appliance is vulnerable to JMX operations being
    performed regardless of that exposed user's authority.
    

Problem conclusion

  • Security authorization enforcement for JMX administrative
    operations has been implemented.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC85748

  • Reported component name

    WSDATAPOWER XC1

  • Reported component ID

    5765H4200

  • Reported release

    200

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-08-08

  • Closed date

    2012-11-28

  • Last modified date

    2012-11-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WSDATAPOWER XC1

  • Fixed component ID

    5765H4200

Applicable component levels

  • R200 PSY

       UP

  • R210 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere DataPower XC10 Appliance

Software version:

2.0.0.3

Reference #:

IC85748

Modified date:

2012-11-28

Translate my page

Machine Translation

Content navigation