APAR status
Closed as program error.
Error description
Problem description: An error was detected on Nessus Vulnerability Scan after upgrading IEMSCA to 1.6.33 from 1.5.92: https://w3.secintel.ibm.com/vscan/refs/refs.php?nav=0&vuln_id=2 382 It seems that this error could be detected by that files under WEB-INF on Web server can be seen/shown on Web server after upgrading to v1.6.33. On Web server, it is NOT allowed that users can directly see files under WEB-INF. However, after upgrading IEMSCA to 1.6.33, it has been changed to be allowed that users can directly see files under WEB-INF on the Web server. When it is "WEB-INF./" as below(not "WEB-INF/"), files under WEB-INF can be shown on the Web server: <SCA server>/WEB-INF./web.xml For more detail; On v1.5.92, "web.xml" wasn't shown with 404 error on the Web server.
Local fix
Problem summary
SCA 1.6 allows users to access non sensitive static information.
Problem conclusion
This issue is resolved in SCA 1.7.
Temporary fix
Comments
APAR Information
APAR number
IV75080
Reported component name
TV EP MG DSS SC
Reported component ID
5725C43SC
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-07-13
Closed date
2015-08-03
Last modified date
2015-08-03
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TV EP MG DSS SC
Fixed component ID
5725C43SC
Applicable component levels
R920 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6MCG","label":"Tivoli Endpoint Manager for Security and Compliance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Document Information
Modified date:
03 August 2015