IC96617: A security vulnerability in WebSphere DataPower XC10 Appliance might allow unauthenticated access.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Certain administrative operations for the appliance can have
    unauthenticated accessed, which creates a risk of a denial of
    service.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Deployers of the IBM WebSphere DataPower    *
    *                  XC10 Appliance V2.5 and higher              *
    ****************************************************************
    * PROBLEM DESCRIPTION: A security vulnerability might allow    *
    *                      unauthenticated access to certain       *
    *                      administrative operations.              *
    ****************************************************************
    * RECOMMENDATION:  Install a firmware level that contains this *
    *                  APAR.                                       *
    *                  For the 7199-92X (2426-92X) model           *
    *                  appliance, applying the firmware image      *
    *                  located here:                               *
    *                  http://www-                                 *
    *                  933.ibm.com/support/fixcentral/swg/selectFi *
    *                  x                                           *
    *                  es?                                         *
    *                  parent=ibm~WebSphere&product=ibm/WebSphere/ *
    *                  W                                           *
    *                  ebSphere+DataPower+XC10+Appliance&release=A *
    *                  l                                           *
    *                  l&platform=All&function=fixId&fixids=2.5.0- *
    *                  WS-DPXC10-7199-                             *
    *                  FP0000002&includeSupersedes=0               *
    *                  For the virtual image, apply the update     *
    *                  located here:                               *
    *                  http://www-                                 *
    *                  933.ibm.com/support/fixcentral/swg/selectFi *
    *                  x                                           *
    *                  es?                                         *
    *                  parent=ibm~WebSphere&product=ibm/WebSphere/ *
    *                  W                                           *
    *                  ebSphere+DataPower+XC10+Appliance&release=A *
    *                  l                                           *
    *                  l&platform=All&function=fixId&fixids=2.5.0- *
    *                  WS-DPXC10-VIRT-                             *
    *                  FP0000002&includeSupersedes=0               *
    ****************************************************************
    VULNERABILITY DETAILS:
    CVEID: CVE-2013-5428
    DESCRIPTION:
    Certain administrative operations for the appliance can be
    accessed without authentication, creating a risk of a denial of
    service.
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87560
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
    

Problem conclusion

  • The vulnerability has been corrected. Please apply the firmware
    image as previously described. This APAR is included in
    firmware versions 2.5 Fix Pack 2 and higher.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IC96617

  • Reported component name

    WSDATAPOWER XC1

  • Reported component ID

    5765H4200

  • Reported release

    250

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-10-03

  • Closed date

    2013-10-23

  • Last modified date

    2013-10-23

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WSDATAPOWER XC1

  • Fixed component ID

    5765H4200

Applicable component levels

  • R250 PSY

       UP



Document information


More support for:

WebSphere DataPower XC10 Appliance

Software version:

2.5.0.2

Reference #:

IC96617

Modified date:

2013-10-23

Translate my page

Content navigation