IBM Support

IV75080: AN ERROR IS DETECTED FROM NESSUS VULNERABILITY SCAN AFTER UPGRADING IEMSCA TO 1.6.33

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Problem description:
An error was detected on Nessus Vulnerability Scan after
upgrading IEMSCA to 1.6.33 from 1.5.92:
 https://w3.secintel.ibm.com/vscan/refs/refs.php?nav=0&vuln_id=2
382
It seems that this error could be detected by that files under
WEB-INF on Web server can be seen/shown on Web server after
upgrading to v1.6.33.

On Web server, it is NOT allowed that users can directly see
files under WEB-INF.
However, after upgrading IEMSCA to 1.6.33, it has been changed
to be allowed that users can directly see files under WEB-INF
on the Web server.
When it is "WEB-INF./" as below(not "WEB-INF/"), files under
WEB-INF can be shown on the Web server:

 <SCA server>/WEB-INF./web.xml

For more detail;
On v1.5.92, "web.xml" wasn't shown with 404 error on the Web
server.

Local fix

  • 



Problem summary


    

  • SCA 1.6 allows users to access non sensitive static information.

    



Problem conclusion


    

  • This issue is resolved in SCA 1.7.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IV75080
    • 

  • Reported component name
    TV EP MG DSS SC
    • 

  • Reported component ID
    5725C43SC
    • 

  • Reported release
    920
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-07-13
    • 

  • Closed date
    2015-08-03
    • 

  • Last modified date
    2015-08-03
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TV EP MG DSS SC
    • 

  • Fixed component ID
    5725C43SC
    • 



Applicable component levels


    

  • R920  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6MCG","label":"Tivoli Endpoint Manager for Security and Compliance"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            03 August 2015
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback