IBM Support

PM74462: Authorization checking is not done on placement service operations.

A fix is available

Security fixes for IBM WebSphere DataPower XC10 Appliance

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • No authorization checking is done on placement service
operations.

Local fix

  • n/a

Problem summary

  • ****************************************************************
* USERS AFFECTED:  All customers running WebSphere eXtreme     *
*                  Scale servers in a configuration that       *
*                  uses Java Security Manager restrictions     *
*                  on administrative access to authorized      *
*                  identities.                                 *
****************************************************************
* PROBLEM DESCRIPTION: An administrative operation can be      *
*                      performed by an authenticated user      *
*                      that does not have administrative       *
*                      permissions.                            *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Access to placement service operations via the startOgServer
script are not restricted to only the administrators that have
appropriate MBean permissions.

Problem conclusion

  • The runtime environment was corrected by adding a subroutine to
restrict access to the placement service.  Therefore, only
administrators with appropriate MBean permissions for all
targets and actions, as defined in the Java security policy
file, can perform the corresponding operations.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM74462
    • 

  • Reported component name
    WS EXTREME SCAL
    • 

  • Reported component ID
    5724X6702
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2012-10-05
    • 

  • Closed date
    2013-02-06
    • 

  • Last modified date
    2013-02-06
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WS EXTREME SCAL
    • 

  • Fixed component ID
    5724X6702
    • 



Applicable component levels


    

  • R711  PSY
       UP
    • 

  • R850  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"850","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            06 January 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback