A fix is available
APAR status
Closed as program error.
Error description
The JavaScript Resource Servlet does not perform input validatio n and so a malicious user could inject arbitrary Javascript onto the page.
Local fix
Problem summary
When the servlet acquires locale identifier from the request parameter, it does not verify that the locale name is legal. Locale name is then used in generating response, thus opening a door for malicious locale name to be exploited.
Problem conclusion
The Servlet now verifies that the locale name is legal. If not, it falls back to using a default locale and disregards the value of the request parameter. Fix delivered in Rational Application Developer V7.0.0.10
Temporary fix
Comments
APAR Information
APAR number
PK94324
Reported component name
RATL APP DEV WI
Reported component ID
5724J1901
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-08-20
Closed date
2009-11-20
Last modified date
2009-11-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
RATL APP DEV WI
Fixed component ID
5724J1901
Applicable component levels
R700 PSN
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
20 November 2009