IC93164: A security vulnerability related to log-off processing exists in WebSphere DataPower XC10 Appliance.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The WebSphere DataPower XC10 Appliance web console has a
    vulnerability in log-off processing.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Administrators of IBM WebSphere DataPower   *
    *                  XC10 Appliance Version 2.1 and higher.      *
    ****************************************************************
    * PROBLEM DESCRIPTION: During log-off processing, a security   *
    *                      vulnerability exists.                   *
    ****************************************************************
    * RECOMMENDATION:  REMEDIATION:                                *
    *                  Install a firmware level that contains this *
    *                  APAR.                                       *
    *                  For the 9235-92X model appliance at V2.1,   *
    *                  this fix is located here:                   *
    *                  http://www-                                 *
    *                  933.ibm.com/support/fixcentral/swg/selectFi *
    *                  x                                           *
    *                  es?                                         *
    *                  parent=ibm~WebSphere&product=ibm/WebSphere/ *
    *                  W                                           *
    *                  ebSphere+DataPower+XC10+Appliance&release=A *
    *                  l                                           *
    *                  l&platform=All&function=fixId&fixids=2.1.0. *
    *                  3                                           *
    *                  -WS-DPXC10-9235-IC96617-                    *
    *                  IC93164&includeSupersedes=0                 *
    *                  For the 7199-92X model appliance at V2.1,   *
    *                  the fix is located here:                    *
    *                  http://www-                                 *
    *                  933.ibm.com/support/fixcentral/swg/selectFi *
    *                  x                                           *
    *                  es?                                         *
    *                  parent=ibm~WebSphere&product=ibm/WebSphere/ *
    *                  W                                           *
    *                  ebSphere+DataPower+XC10+Appliance&release=A *
    *                  l                                           *
    *                  l&platform=All&function=fixId&fixids=2.1.0. *
    *                  3                                           *
    *                  -WS-DPXC10-7199-IC96617-                    *
    *                  IC93164&includeSupersedes=0                 *
    *                  For the 7199-92X appliance model at V2.5,   *
    *                  the fix is located here:                    *
    *                  http://www-                                 *
    *                  933.ibm.com/support/fixcentral/swg/selectFi *
    *                  x                                           *
    *                  es?                                         *
    *                  parent=ibm~WebSphere&product=ibm/WebSphere/ *
    *                  W                                           *
    *                  ebSphere+DataPower+XC10+Appliance&release=A *
    *                  l                                           *
    *                  l&platform=All&function=fixId&fixids=2.5.0- *
    *                  WS-DPXC10-7199-                             *
    *                  FP0000002&includeSupersedes=0               *
    *                  For the virtual appliance at V2.5, the fix  *
    *                  is located here:                            *
    *                  http://www-                                 *
    *                  933.ibm.com/support/fixcentral/swg/selectFi *
    *                  x                                           *
    *                  es?                                         *
    *                  parent=ibm~WebSphere&product=ibm/WebSphere/ *
    *                  W                                           *
    *                  ebSphere+DataPower+XC10+Appliance&release=A *
    *                  l                                           *
    *                  l&platform=All&function=fixId&fixids=2.5.0- *
    *                  WS-DPXC10-VIRT-                             *
    *                  FP0000002&includeSupersedes=0               *
    ****************************************************************
    VULNERABILITY DETAILS:
    CVEID: CVE-2013-5446
    DESCRIPTION:
    The WebSphere DataPower XC10 Appliance web console has a
    vulnerability because of a log-off handling weakness.
    CVSS Base Score: 5.8
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/87910
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
    

Problem conclusion

  • The security vulnerability has been corrected. Apply the
    appropriate fix as previously described. This APAR
    has been included in the latest builds of 2.1 Fix Pack 3 and is
    included in 2.5 Fix Pack 2.
    

Temporary fix

  • N/A
    

Comments

APAR Information

  • APAR number

    IC93164

  • Reported component name

    WSDATAPOWER XC1

  • Reported component ID

    5765H4200

  • Reported release

    210

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-06-18

  • Closed date

    2013-10-23

  • Last modified date

    2013-10-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WSDATAPOWER XC1

  • Fixed component ID

    5765H4200

Applicable component levels

  • R210 PSY

       UP

  • R250 PSY

       UP



Document information


More support for:

WebSphere DataPower XC10 Appliance

Software version:

2.1.0.3

Reference #:

IC93164

Modified date:

2013-10-23

Translate my page

Content navigation