IC96174: The appliance might allow unauthenticated access to administrative operations and data.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • The appliance might allow unauthenticated access because of a
    security vulnerability.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of the IBM WebSphere DataPower    *
    *                  XC10 Appliance, Version 2.0 or higher.      *
    ****************************************************************
    * PROBLEM DESCRIPTION: A user can obtain access with           *
    *                      administrative privileges to the        *
    *                      data grid without authentication.       *
    ****************************************************************
    * RECOMMENDATION:  Install a firmware level containing this    *
    *                  APAR.                                       *
    ****************************************************************
    VULNERABILITY DETAILS:
    CVE-2013-5403 - A knowledgeable user can obtain access to the
    machine with administrative privileges without authentication.
    CVSS Base Score: 10.0
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/87299
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:C/A:C)
    AFFECTED PRODUCTS AND VERSIONS:
    All fix pack and interim fix levels of the following versions
    are affected:
    WebSphere DataPower XC10 Appliance version 2.0
    WebSphere DataPower XC10 Appliance version 2.1
    WebSphere DataPower XC10 Appliance version 2.5
    REMEDIATION:
    WebSphere DataPower XC10 Appliance users running 2.0 versions
    of the firmware must apply one of the version 2.1 firmware
    upgrades.
    For WebSphere DataPower XC10 Appliance 2.1 on appliance
    9235-92X apply the Version 2.1 Fix Pack 3 firmware upgrade
    (APAR IC96174).
    For WebSphere DataPower XC10 Appliance 2.1 on appliance
    7199-92X apply the Version 2.1 Fix Pack 3 firmware upgrade
    (APAR IC96174).
    For WebSphere DataPower XC10 Appliance 2.5 on appliance
    7199-92X apply the Version 2.5 Fix Pack 1 firmware upgrade
    (APAR IC96174).
    For WebSphere DataPower XC10 Appliance V2.5 virtual image,
    apply the Version 2.5 Fix Pack 1 firmware upgrade (APAR
    IC96174).
    

Problem conclusion

  • The firmware was corrected to prevent this issue from
    occurring. The APAR in available in the following firmware
    versions: V2.1 Fix Pack 3 and V2.5 Fix Pack 1.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC96174

  • Reported component name

    WSDATAPOWER XC1

  • Reported component ID

    5765H4200

  • Reported release

    250

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-09-23

  • Closed date

    2013-09-30

  • Last modified date

    2013-09-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WSDATAPOWER XC1

  • Fixed component ID

    5765H4200

Applicable component levels

  • R200 PSY

       UP

  • R210 PSY

       UP

  • R250 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere DataPower XC10 Appliance

Software version:

2.5.0.2

Reference #:

IC96174

Modified date:

2013-09-30

Translate my page

Machine Translation

Content navigation