IBM Support

JR40578: CMVC 213558 - CORRECT A DOJO 1.0.2 SECURITY VULNERABILITY.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A security vulnerability was recently published outlining
    problems on the v0.4 through v1.4 release of DOJO.  WebSphere
    Commerce version 6 and version 7 both use versions of DOJO
    within this range and would be inherently vulnerable to the
    holes.
    See: http://dojotoolkit.org/blog/dojo-security-advisory for more
    information
    

Local fix

  • Upgrading to WebSphere Commerce Feature Pack 3 will resolve this
    vulnerability.  Feature Pack 3 and newer use DOJO v 1.5 which
    does not contain this security vulnerability.
    
    WebSphere Commerce ships with the following DOJO versions:
    V6 FEP 5 - dojo 1.0.2 (affected)
    V7, V7 FEP 1 and V7 FEP 2 - dojo 1.3.1  (affected)
    V7 FEP 3 - dojo 1.5 (not affected)
    
    If you cannot upgrade to WebSphere Commerce Feature Pack 3, It
    is recommended that you replace the following files with the new
    secure ones outlined by the vulnerability document above:
    
    Manual steps to correct the issue:
    Pull Specific Files
    If you have your own custom, modified Dojo source and cannot
    update to the new builds, you can go to the directories listed
    in the ?Updated Builds? section and grab the files you need from
    the version that most closely matches your version and just copy
    them over to your distribution.
    Some branches do not have all of these files, just replace the
    files that exist in your distribution:
    Dojo 1.0+
    dojo/resources/iframe_history.html
    dojox/av/FLAudio.js
    dojox/av/FLVideo.js
    dojox/av/resources/audio.swf
    dojox/av/resources/video.swf
    util/buildscripts/jslib/build.js
    util/buildscripts/jslib/buildUtil.js
    util/doh/runner.html
    Dojo 0.4:
    iframe_history.html
    
    In addition to grabbing the files listed above, be sure to
    delete any .php files in the dojo/dijit/dojox directories, if
    PHP is enabled on your server. Updated versions of these files
    are available from the link above.
    

Problem summary

  • USERS AFFECTED:
    WebSphere Commerce users running v6 to v7 Feature Pack 2.
    WebSphere Commerce v7 Feature Pack 3 uses DOJO 1.5 which does
    not include this vulnerability
    
    PROBLEM ABSTRACT:
    This APAR is to describe the steps necessary to address a
    security vulnerability with DOJO 1.0.2 and DOJO 1.3.1 which are
    used in WebSphere V6 and WebSphere V7 respectively.
    
    
    BUSINESS IMPACT:
    High - With any security vulnerability it is recommended to take
    action to close any holes immediately if possible.
    
    RECOMMENDATION:
    The modified files are available from the DOJO website here:
    http://dojotoolkit.org/blog/dojo-security-advisory
    

Problem conclusion

  • By moving to a newer version of DOJO with Feature Pack 3 for
    version 7, the WebSphere Commerce application inherently
    corrected the vulnerability.
    
    -------------------------------------------------------------
    The latest available maintenance information can be obtained
    from the Recommended Fixes for WebSphere Commerce technote:
    http://www.ibm.com/support/docview.wss?rs=3046&uid=swg21261296
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR40578

  • Reported component name

    WC BUS EDITION

  • Reported component ID

    5724I3800

  • Reported release

    700

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-09-06

  • Closed date

    2011-09-16

  • Last modified date

    2011-09-16

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WC BUS EDITION

  • Fixed component ID

    5724I3800

Applicable component levels

  • R700 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSYL","label":"WebSphere Commerce Enterprise"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
16 September 2011