IC90711: (SSPCM) PEN TEST: L-003 INADEQUATE APPLICATION ERROR HANDLING AND SUPPRESSION

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • Detailed error messages often result from unhandled or
    unexpected exceptions within application code.
    These messages are often the stepping-stone to more complex
    attacks because they typically provide information that
    indicates why an error occurred which can be further leveraged
    to refine successful attacks.
    

Local fix

  • STRRTC - 367002
    DE/RJ
    Circumvention:
    Update to latest SSPcm Build
    

Problem summary

  • Security scan determined that the Sterling Secure Proxy
    Configuration Manager may return an error and a java stack
    trace to the browser when erroneous input data is entered. An
    attacker can exploit this to obtain information about the
    application to design further attacks.
    

Problem conclusion

  • Updated the SSP CM to catch errors and suppress the printing of
    stack traces to the browser so that it doesn t send
    unnecessary information to a would-be attacker.
    

Temporary fix

  • Corrected and caught a number of errors previously thrown to
    the browser.
    

Comments

  • Fix included in SSP3417.
    

APAR Information

  • APAR number

    IC90711

  • Reported component name

    STR SECURE PROX

  • Reported component ID

    5725D0300

  • Reported release

    340

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-08

  • Closed date

    2013-05-01

  • Last modified date

    2013-05-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR SECURE PROX

  • Fixed component ID

    5725D0300

Applicable component levels

  • R341 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Sterling Secure Proxy

Software version:

3.4

Reference #:

IC90711

Modified date:

2013-05-01

Translate my page

Machine Translation

Content navigation