Preventive Service Planning
If your WebSphere Portal version 6.0 or 5.1 is deployed on WebSphere Application Server Fix Pack 19 for 6.0.2 (126.96.36.199) or below, you should apply the recommended fix for PK41446 to resolve the situation that may exist where, after a closed connection error, the Web container may corrupt a buffer being used to send a response. This could have security exposure implications and allow information intended for one user to be accessed by another.
This situation has not been reproduced in IBM testing with WebSphere Portal but the risk for vulnerability exists.
From the WebSphere Application Server support page "PK41446; Possible response buffer corruption after closed connection error" (#4015854):
If a closed connection exception occurs, for example because a request is canceled whilst a response to the request is still being sent, based on timing the following three scenarios are possible:
- Things clean-up correctly and no problem occurs. This is the most likely outcome.
- Some response data of the cancelled request is added to the response of a subsequent request.
- Some response data for a first subsequent request is added to the response of a different subsequent request.
Reminder: Interim Fixes and Upgrades of this nature are fully supported by our WebSphere Portal Support Statement in the V6.0 Information Center.
|Organizational Productivity- Portals & Collaboration||WebSphere Portal End of Support Products||WebSphere Application Server Integration||AIX, HP-UX, i5/OS, Linux, Solaris, Windows||5.1|