JR40578: CMVC 213558 - CORRECT A DOJO 1.0.2 SECURITY VULNERABILITY.
Direct links to fixes
Closed as program error.
A security vulnerability was recently published outlining problems on the v0.4 through v1.4 release of DOJO. WebSphere Commerce version 6 and version 7 both use versions of DOJO within this range and would be inherently vulnerable to the holes. See: http://dojotoolkit.org/blog/dojo-security-advisory for more information
Upgrading to WebSphere Commerce Feature Pack 3 will resolve this vulnerability. Feature Pack 3 and newer use DOJO v 1.5 which does not contain this security vulnerability. WebSphere Commerce ships with the following DOJO versions: V6 FEP 5 - dojo 1.0.2 (affected) V7, V7 FEP 1 and V7 FEP 2 - dojo 1.3.1 (affected) V7 FEP 3 - dojo 1.5 (not affected) If you cannot upgrade to WebSphere Commerce Feature Pack 3, It is recommended that you replace the following files with the new secure ones outlined by the vulnerability document above: Manual steps to correct the issue: Pull Specific Files If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the ?Updated Builds? section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution. Some branches do not have all of these files, just replace the files that exist in your distribution: Dojo 1.0+ dojo/resources/iframe_history.html dojox/av/FLAudio.js dojox/av/FLVideo.js dojox/av/resources/audio.swf dojox/av/resources/video.swf util/buildscripts/jslib/build.js util/buildscripts/jslib/buildUtil.js util/doh/runner.html Dojo 0.4: iframe_history.html In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server. Updated versions of these files are available from the link above.
USERS AFFECTED: WebSphere Commerce users running v6 to v7 Feature Pack 2. WebSphere Commerce v7 Feature Pack 3 uses DOJO 1.5 which does not include this vulnerability PROBLEM ABSTRACT: This APAR is to describe the steps necessary to address a security vulnerability with DOJO 1.0.2 and DOJO 1.3.1 which are used in WebSphere V6 and WebSphere V7 respectively. BUSINESS IMPACT: High - With any security vulnerability it is recommended to take action to close any holes immediately if possible. RECOMMENDATION: The modified files are available from the DOJO website here: http://dojotoolkit.org/blog/dojo-security-advisory
By moving to a newer version of DOJO with Feature Pack 3 for version 7, the WebSphere Commerce application inherently corrected the vulnerability. ------------------------------------------------------------- The latest available maintenance information can be obtained from the Recommended Fixes for WebSphere Commerce technote: http://www.ibm.com/support/docview.wss?rs=3046&uid=swg21261296
Reported component name
WC BUS EDITION
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
WC BUS EDITION
Fixed component ID
Applicable component levels