IBM Support

PM68296: Changed pattern of communication between XC10 servers

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • A vulnerability exists in WebSphere DataPower XC10
    Appliance authentication of collective members to one another,
    which might allow a hacker to establish a session with an
    appliance impersonating another appliance.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  WebSphere DataPower XC10                    *
    *                  Appliance v2.0 or higher users that are     *
    *                  insufficiently protected by                 *
    *                  securty infrastructure,                     *
    *                  such as firewalls. This problem does not    *
    *                  apply to any of the WebSphere eXtreme Scale *
    *                  software products.                          *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere DataPower XC10                *
    *                      Appliance uses a hardcoded secret for   *
    *                      server authentication, and the secret   *
    *                      is sent over the wire if TLS is         *
    *                      not used.                               *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    WebSphere DataPower XC10 Appliances that are
    configured in a collective use server to server connections.
    These server to server connections
    are protected using a shared XC10
    secret key. All XC10 appliances share a secret key that is used
    internally. If the
    secret key is discovered, a user can
    act as a container server to XC10 appliance,
    at which point data in the data grid would
    be available to a potential security
    attacker.
    

Problem conclusion

  • The code was fixed to make the secret key configurable
    and encrypted for network transmission.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM68296

  • Reported component name

    WS EXTREME SCAL

  • Reported component ID

    5724X6702

  • Reported release

    850

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-07-06

  • Closed date

    2013-01-22

  • Last modified date

    2013-01-22

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WS EXTREME SCAL

  • Fixed component ID

    5724X6702

Applicable component levels

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
06 January 2022