Fixes are available
APAR status
Closed as program error.
Error description
A vulnerability exists in WebSphere DataPower XC10 Appliance authentication of collective members to one another, which might allow a hacker to establish a session with an appliance impersonating another appliance.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: WebSphere DataPower XC10 * * Appliance v2.0 or higher users that are * * insufficiently protected by * * securty infrastructure, * * such as firewalls. This problem does not * * apply to any of the WebSphere eXtreme Scale * * software products. * **************************************************************** * PROBLEM DESCRIPTION: WebSphere DataPower XC10 * * Appliance uses a hardcoded secret for * * server authentication, and the secret * * is sent over the wire if TLS is * * not used. * **************************************************************** * RECOMMENDATION: * **************************************************************** WebSphere DataPower XC10 Appliances that are configured in a collective use server to server connections. These server to server connections are protected using a shared XC10 secret key. All XC10 appliances share a secret key that is used internally. If the secret key is discovered, a user can act as a container server to XC10 appliance, at which point data in the data grid would be available to a potential security attacker.
Problem conclusion
The code was fixed to make the secret key configurable and encrypted for network transmission.
Temporary fix
Comments
APAR Information
APAR number
PM68296
Reported component name
WS EXTREME SCAL
Reported component ID
5724X6702
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-07-06
Closed date
2013-01-22
Last modified date
2013-01-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WS EXTREME SCAL
Fixed component ID
5724X6702
Applicable component levels
R850 PSY
UP
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.