Direct links to fixes
APAR status
Closed as program error.
Error description
A security vulnerability was recently published outlining problems on the v0.4 through v1.4 release of DOJO. WebSphere Commerce version 6 and version 7 both use versions of DOJO within this range and would be inherently vulnerable to the holes. See: http://dojotoolkit.org/blog/dojo-security-advisory for more information
Local fix
Upgrading to WebSphere Commerce Feature Pack 3 will resolve this vulnerability. Feature Pack 3 and newer use DOJO v 1.5 which does not contain this security vulnerability. WebSphere Commerce ships with the following DOJO versions: V6 FEP 5 - dojo 1.0.2 (affected) V7, V7 FEP 1 and V7 FEP 2 - dojo 1.3.1 (affected) V7 FEP 3 - dojo 1.5 (not affected) If you cannot upgrade to WebSphere Commerce Feature Pack 3, It is recommended that you replace the following files with the new secure ones outlined by the vulnerability document above: Manual steps to correct the issue: Pull Specific Files If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the ?Updated Builds? section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution. Some branches do not have all of these files, just replace the files that exist in your distribution: Dojo 1.0+ dojo/resources/iframe_history.html dojox/av/FLAudio.js dojox/av/FLVideo.js dojox/av/resources/audio.swf dojox/av/resources/video.swf util/buildscripts/jslib/build.js util/buildscripts/jslib/buildUtil.js util/doh/runner.html Dojo 0.4: iframe_history.html In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server. Updated versions of these files are available from the link above.
Problem summary
USERS AFFECTED: WebSphere Commerce users running v6 to v7 Feature Pack 2. WebSphere Commerce v7 Feature Pack 3 uses DOJO 1.5 which does not include this vulnerability PROBLEM ABSTRACT: This APAR is to describe the steps necessary to address a security vulnerability with DOJO 1.0.2 and DOJO 1.3.1 which are used in WebSphere V6 and WebSphere V7 respectively. BUSINESS IMPACT: High - With any security vulnerability it is recommended to take action to close any holes immediately if possible. RECOMMENDATION: The modified files are available from the DOJO website here: http://dojotoolkit.org/blog/dojo-security-advisory
Problem conclusion
By moving to a newer version of DOJO with Feature Pack 3 for version 7, the WebSphere Commerce application inherently corrected the vulnerability. ------------------------------------------------------------- The latest available maintenance information can be obtained from the Recommended Fixes for WebSphere Commerce technote: http://www.ibm.com/support/docview.wss?rs=3046&uid=swg21261296
Temporary fix
Comments
APAR Information
APAR number
JR40578
Reported component name
WC BUS EDITION
Reported component ID
5724I3800
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-09-06
Closed date
2011-09-16
Last modified date
2011-09-16
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WC BUS EDITION
Fixed component ID
5724I3800
Applicable component levels
R700 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSYL","label":"WebSphere Commerce Enterprise"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
16 September 2011