IBM Support

Potential security exposure with IBM WebSphere Application Server Administrative Console (PM45322)

Flash (Alert)


Abstract

Possible information disclosure issue with the Administrative Console.

Content

Versions affected:
This only occurs on the following:

  • IBM® WebSphere® Application Server for distributed operating systems, for IBM i operating systems, and for z/OS operating systems, Versions 6.1.0.0 through 6.1.0.39, 7.0.0.0 through 7.0.0.18, and 8.0.0.0.

    This does not occur on:
  • IBM WebSphere Application Server Versions prior to Version 6.1.

  • Problem Description:
    Customers who have the Administrative Console deployed have the risk of an attacker that has http access to the console servlets to view restricted files on the server.

    Solutions:

    For IBM WebSphere Application Server for distributed operating systems:

    For V8.0.0.0:
  • Apply Interim Fix APAR PM45322
    --OR--
  • Install Fix Pack 1 (8.0.0.1), or later (targeted to be available 26 September 2011).

    For V7.0.0.0 through 7.0.0.17:
  • Apply Fix Pack 11 (7.0.0.11), or later, if your environment is not already at this level, then
  • Apply Interim Fix APAR PM45322
    --OR--
  • Install Fix Pack 19 (7.0.0.19), or later (targeted to be available 12 September 2011).

    For V6.1.0.0 through 6.1.0.40:
  • Apply Fix Pack 33 (6.1..0.33), or later, if your environment is not already at this level, then
  • Apply Interim Fix APAR PM45322
    --OR--
  • Install Fix Pack 41 (6.1 0.41), or later (targeted to be available 7 November 2011).

    For IBM WebSphere Application Server for IBM i operating systems:

    For V8.0.0.0:
  • Apply Interim Fix APAR PM45322
    --OR--
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 1 (8.0.0.1), or later, (targeted to be available 26 September 2011), according to the PTF group instructions.

    For V7.0.0.0 through 7.0.0.17:
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 11 (7.0.0.11), or later, if your environment is not already at this level, according to the PTF group instructions, then
  • Apply Interim Fix APAR PM45322
    --OR--
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 19 (7.0.0.19), or later, (targeted to be available 12 September 2011), according to the PTF group instructions.

    For V6.1.0.0 through 6.1.0.40:
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 33 (6.1.0.33), or later, if your environment is not already at this level, according to the PTF group instructions, then
  • Apply Interim Fix APAR PM45322
    --OR--
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 41 (6.1. 0.41), or later, (targeted to be available 7 November 2011), according to the PTF group instructions.

    For IBM WebSphere Application Server for z/OS operating systems:

    For V8.0.0.0:
  • Apply APAR PM45322 by way of the appropriate PTFs for 8.0.0.1, or later (targeted to be available 26 September 2011).

    For V7.0.0.0 through 7.0.0.18:
  • Apply APAR PM45322 by way of the appropriate PTFs for 7.0.0.19, or later (targeted to be available 12 September 2011).

    For V6.1.0.0 through 6.1.0.39:
  • Apply APAR PM45322 by way of the appropriate PTFs for 6.1.0.41, or later (targeted to be available 17 November 2011).

    Note: Reported by Javier Castro and sxkeebler of Digital Defense, Inc.

    Additional documentation:
    For additional details and information on WebSphere Application Server product updates, see the following URLs:
  • For distributed operating systems, see Recommended fixes for WebSphere Application Server.
  • For IBM i operating systems, see WebSphere Application Server for IBM i.
  • For z/OS operating systems, see WebSphere Application Server for z/OS
    For additional information on this security exposures, see the following urls:
  • IBM Security Systems ISS X-Force document titled: "IBM WebSphere Application Server administration console directory traversal websphere-admin-console-dir-traversal (69473)"
  • Common Vulnerabilities and Exposures document at: CVE-2011-1359

    Change History:
  • 19 Sep 2011:
  • Added links to the IBM Security Systems (ISS) X-force document for this APAR, which includes its risk assessment, as well as a link to its CVE document of CVE-2011-1359.
  • 20 Sep 2011:
  • Changed the "Problem Description" from:
  • "Customers who have the Administrative Console deployed have the risk of an attacker that has access to the console servlets to view restricted files on the server."
  • to
  • "Customers who have the Administrative Console deployed have the risk of an attacker that has http access to the console servlets to view restricted files on the server."
  • Document information

    More support for: WebSphere Application Server
    Security

    Software version: 6.1, 7.0, 8.0

    Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

    Software edition: Base, Developer, Express, Network Deployment

    Reference #: 1509257

    Modified date: 29 August 2011