IBM Support

Potential security vulnerability when using Web based applications on IBM WebSphere Application Server due to Java HashTable implementation vulnerability (PM53930/PM57565)

Flash (Alert)


Abstract

Potential Denial of Service (Dos) security exposure when using Web based applications due to JavaHashTable implementation vulnerability.

Content

CVE ID: CVE-2012-0193
Versions affected:
The following IBM® WebSphere® Application Server Versions for distributed operating systems, IBM i operating systems, and z/OS operating systems are affected:

  • Version 8.0 through 8.0.0.2.
  • Version 7.0 through 7.0.0.21
  • Version 6.1 through 6.1.0.41
  • Version 6.0 through 6.0.2.43

    Problem Description:
    Customers who have Web based applications are impacted by this vulnerability which can cause performance or Denial of Service (DoS) issues.

    CVSS:
    CVSS Base Score: 5
    CVSS Temporal Score:
    See https://exchange.xforce.ibmcloud.com/vulnerabilities/72298 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (
    AV:N/AC:L/Au:N/C:N/I:N/A:P)

    Solutions:
    Install Interim Fix APAR PM53930 or PM57565 (or a ++APAR for WebSphere Application Server for z/OS), or a Fix Pack containing one of these APARs, as noted below.

    For IBM WebSphere Application Server for distributed operating systems:

    For V8.0 through 8.0.0.2:
  • Install Fix Pack 1 (8.0.0.1), or later, if your environment is not already at this level, then
  • Install Interim Fix APAR PM57565
    --OR--
  • Install Fix Pack 3 (8.0.0.3), or later (targeted to be available mid April 2012).
    Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
    java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the SystemOut.log file. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.
    Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended Interim Fixes (iFixes) when installing WebSphere Application Server V8 or any of its V8 Service Fix Packs. PM53930 is a recommended fix, and as a result, may already be installed. If you are unsure as to whether or not it is installed, you can check:
  • either using the IM GUI you by selecting "File->View Installed Packages",
  • or using the IM command line "imcl listInstalledPackages -long"
    Note: PM53930 is included in 8.0.0.3, and later, and as a result does not require the Interim Fix to be installed.

    For V7.0 through 7.0.0.21:
  • Install Fix Pack 1 (7.0.0.1), or later, if your environment is not already at this level, then
  • Install Interim Fix APAR PM53930
    --OR--
  • Install Fix Pack 23 (7.0.0.23), or later (targeted to be available late May 2012.)

    For V6.1 through 6.1.0.41:
  • Install Fix Pack 3 (6.1.0.3), or later, if your environment is not already at this level, then
  • Install Interim Fix APAR PM53930
    --OR--
  • Install Fix Pack 43 (6.1 0.43), or later (targeted to be available mid March 2012).

    For V6.0 through 6.0.2.43 (includes V6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.1.2, and 6.0.2 through 6.0.2.43):
  • Install Refresh Pack 2 (6.0.2), if not already at that level, then
  • Install Fix Pack 11 (6.0.2.11), or later, if your environment is not already at this level, then
  • Install Interim Fix APAR PM53930
    Note: Version 6.0 is no longer in service (ended 30 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless you are otherwise entitled to support.

    For IBM WebSphere Application Server for IBM i operating systems:

    For V8.0:
  • Install the WebSphere Application Server PTF group which includes Fix Pack 2 (8.0.0.2), according to the PTF group instructions, then
  • Install Interim Fix APAR PM57565
    Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
    java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the SystemOut.log file. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.

    For V8.0.0.1 through 8.0.0.2:
  • Install Interim Fix APAR PM57565
    --OR--
  • Install the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions (8.0.0.3 targeted to be available late April 2012)
    Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
    java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the SystemOut.log file. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.
    Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended iFixes when installing WebSphere Application Server V8 or any of its V8 Service Fix Packs. As a result, the iFix may already be installed, If you are unsure as to whether or not it is installed, you can check by using the IM command line:
    imcl listInstalledPackages -long
    Note: PM53930 is included in 8.0.0.3, and later, and as a result does not require the Interim Fix to be installed.

    For V7.0:
  • Install the WebSphere Application Server PTF group which includes Fix Pack 21 (7.0.0.21), according to the PTF group instructions, then
  • Install Interim Fix APAR PM53930

    For V7.0.0.1 through 7.0.0.21:
  • Install Interim Fix APAR PM53930
    --OR--
  • Install the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions (7.0.0.23 targeted to be available late May 2012)

  • For V6.1 through 6.1.0.1:
  • Install the WebSphere Application Server PTF group which includes Fix Pack 19 (6.1.0.19) or Fix Pack 41 (6.1.0.41), according to the PTF group instructions, then
  • Install Interim Fix APAR PM53930

    For V6.1.0.3 through 6.1.0.41:
  • Install Interim Fix APAR PM53930
    --OR--
  • Install the WebSphere Application Server PTF group which includes Fix Pack 43, or later, according to the PTF group instructions (6.1.0.43 targeted to be available mid March 2012).

    For V6.0 through 6.0.2.9:
  • Install the WebSphere Application Server PTF group which includes Fix Pack 31 (6.0.2.31), or later, according to the PTF group instructions, then
  • Install Interim Fix APAR PM53930

    For V6.0.2.11 through 6.0.2.43:
  • Install Interim Fix APAR PM53930

    Note: Version 6.0 is no longer in service (ended 30 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless you are otherwise entitled to support.


  • For WebSphere Application Server for z/OS operating systems:

    For V8.0 through 8.0.0.2:
  • Install Interim Fix APAR PM57565
    --OR--
  • Install Fix Pack 3 (8.0.0.3), or later (targeted to be available mid April 2012).
    Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
    java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the Servant Region SYSPRINT. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.
    Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended iFixes when installing WebSphere Application Server V8 or any of its V8 Service Fix Packs. As a result, the iFix may already be installed, If you are unsure as to whether or not it is installed, you can check by using the IM command line:
    imcl listInstalledPackages -long
    Note: PM53930 is included in 8.0.0.3, and later, and as a result does not require the Interim Fix to be installed.

    For V7.0 through 7.0.0.21:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM55522
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
    --OR--
  • Install Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS (targeted to be available late May 2012).

    For V6.1 through 6.1.0.41:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM55706.
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
    --OR--
  • Install Fix Pack 6.1.0.43, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS (targeted to be available late March 2012).

    For V6.0 through 6.0.2.43 (includes 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.1.1, 6.0.1.2, and 6.0.2 through 6.0.2.43):
  • Move up in maintenance to Fix Pack 6.0.2.43 at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM55697.
  • Please include, in the PMR, any additional ++APARs that you have installed.
    Note: Version 6.0 is no longer in service (ended 30 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless you are otherwise entitled to support.


    For additional details and information on WebSphere Application Server product updates:
  • For Distributed, see Recommended fixes for WebSphere Application Server.
  • For i5/OS, see WebSphere Application Server for i5/OS.
  • For z/OS, see APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.


    REFERENCES:
  • Complete CVSS Guide
  • On-line Calculator V2

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

    Note:
    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    Change History
    17 Jan 2012 Flash published.
    19 Jan 2012 Updated V7.0 APAR Interim Fix for Fix Pack level availability.
    Updated link to 77298 for ISS Xforce reference.
    20 Jan 2012 Updated V6.1 APAR Interim Fix for Fix Pack level availability for both Distributed systems and i systems.
    26 Jan 2012 For Distributed systems: Updated minimum Fix Pack required for fix install for V6.1, from Fix Pack 11 (V6.1.0.11) to Fix Pack 3 (V6.1.0.3).
    Updated minimum Fix Pack required for fix install for V7.0, from Fix Pack 3 (V7.0.0.3) to Fix Pack 1 (V7.0.0.1).
    For i Systems: Updated V6.1 and V7.0 minimum Fix Packs as well.
    12 Mar 2012 PM57565 added, and supercedes PM53930, for WAS v8.0.x Interim Fix APAR only.

  • Cross reference information
    Segment Product Component Platform Version Edition
    Application Servers WebSphere Application Server for z/OS Servlet Engine/Web Container z/OS, OS/390 8.0.0.1, 8.0, 7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.19, 7.0.0.17, 7.0.0.15, 7.0.0.13, 7.0.0.11, 7.0.0.1, 7.0, 6.1.0.9, 6.1.0.8, 6.1.0.7, 6.1.0.6, 6.1.0.5, 6.1.0.41, 6.1.0.4, 6.1.0.3, 6.1.0.22, 6.1.0.21, 6.1.0.20, 6.1.0.2, 6.1.0.18, 6.1.0.16, 6.1.0.14, 6.1.0.11, 6.1.0.10, 6.1.0.1, 6.1, 6.0.2.30, 6.0.2.28, 6.0.2.26, 6.0.2, 6.0.1, 6.0
    Application Servers WebSphere Application Server Hypervisor Edition AIX, Linux 7.0, 6.1 All Editions
    Application Servers WebSphere Application Server Hypervisor Edition for AIX AIX 6.0.0.1, 6.1, 7.0, 8.0 All Editions
    Application Servers WebSphere Application Server Hypervisor Edition for Red Hat Enterprise Linux Server Linux Red Hat - iSeries, Linux Red Hat - pSeries, Linux Red Hat - xSeries, Linux Red Hat - zSeries 6.1, 7.0, 7.0.0.4, 7.0.0.6, 8.0, 8.0.2 All Editions

    Document information

    More support for: WebSphere Application Server
    Servlet Engine/Web Container

    Software version: 6.0, 6.0.0.2, 6.0.0.3, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.3, 6.0.2.4, 6.0.2.5, 6.0.2.6, 6.0.2.7, 6.0.2.8, 6.0.2.9, 6.0.2.11, 6.0.2.13, 6.0.2.15, 6.0.2.17, 6.0.2.19, 6.0.2.21, 6.0.2.23, 6.0.2.25, 6.0.2.27, 6.0.2.29, 6.0.2.31, 6.0.2.33, 6.0.2.35, 6.0.2.37, 6.0.2.39, 6.0.2.41, 6.0.2.43, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.5, 6.1.0.7, 6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.14, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31, 6.1.0.33, 6.1.0.35, 6.1.0.37, 6.1.0.39, 6.1.0.41, 6.1.1, 6.1.1.1, 6.1.1.2, 6.1.1.3, 6.1.1.4, 6.1.1.5, 6.1.1.6, 6.1.1.7, 6.1.1.8, 6.1.1.9, 6.1.1.10, 7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9, 7.0.0.11, 7.0.0.13, 7.0.0.15, 7.0.0.17, 7.0.0.19, 8.0, 8.0.0.1

    Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

    Software edition: Base, Developer, Express, Network Deployment

    Reference #: 1577532

    Modified date: 13 March 2012


    Translate this page: