IBM Support

Potential security vulnerability when using Web based applications on IBM WebSphere Application Server due to Java HashTable implementation vulnerability (PM53930/PM57565)

Flash (Alert)


Abstract

Potential Denial of Service (Dos) security exposure when using Web based applications due to JavaHashTable implementation vulnerability.

Content

CVE ID: CVE-2012-0193
Versions affected:
The following IBM® WebSphere® Application Server Versions for distributed operating systems, IBM i operating systems, and z/OS operating systems are affected:

  • Version 8.0 through 8.0.0.2.
  • Version 7.0 through 7.0.0.21
  • Version 6.1 through 6.1.0.41
  • Version 6.0 through 6.0.2.43

Problem Description:
Customers who have Web based applications are impacted by this vulnerability which can cause performance or Denial of Service (DoS) issues.
Solutions:
Install Interim Fix APAR PM53930 or PM57565 (or a ++APAR for WebSphere Application Server for z/OS), or a Fix Pack containing one of these APARs, as noted below.

For IBM WebSphere Application Server for distributed operating systems:
    For V 8.0 through 8.0.0.2:
    • Install Fix Pack 1 (8.0.0.1), or later, if your environment is not already at this level, then
    • Install Interim Fix APAR PM57565
    --OR--
    • Install Fix Pack 3 (8.0.0.3), or later (targeted to be available mid April 2012).
    Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
      java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the SystemOut.log file. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.
    Note : If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended Interim Fixes (iFixes) when installing WebSphere Application Server V8 or any of its V8 Service Fix Packs. PM53930 is a recommended fix, and as a result, may already be installed. If you are unsure as to whether or not it is installed, you can check:
    • either using the IM GUI you by selecting "File->View Installed Packages",
    • or using the IM command line "imcl listInstalledPackages -long"
    Note: PM53930 is included in 8.0.0.3, and later, and as a result does not require the Interim Fix to be installed.

    For V7.0 through 7.0.0.21:
    • Install Fix Pack 1 (7.0.0.1), or later, if your environment is not already at this level, then
    • Install Interim Fix APAR PM53930
    --OR--
    • Install Fix Pack 23 (7.0.0.23), or later (targeted to be available late May 2012.)

    For V6.1 through 6.1.0.41:
    • Install Fix Pack 3 (6.1.0.3), or later, if your environment is not already at this level, then
    • Install Interim Fix APAR PM53930
    --OR--
    • Install Fix Pack 43 (6.1 0.43), or later (targeted to be available mid March 2012).

    For V6.0 through 6.0.2.43 (includes V6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.1.2, and 6.0.2 through 6.0.2.43):
    • Install Refresh Pack 2 (6.0.2), if not already at that level, then
    • Install Fix Pack 11 (6.0.2.11), or later, if your environment is not already at this level, then
    • Install Interim Fix APAR PM53930
    Note : Version 6.0 is no longer in service (ended 30 September 2010).
For IBM WebSphere Application Server for IBM i operating systems:
    For V8.0: Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
      java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the SystemOut.log file. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.

    For V8.0.0.1 through 8.0.0.2: --OR-- Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
      java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the SystemOut.log file. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.
    Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended iFixes when installing WebSphere Application Server V8 or any of its V8 Service Fix Packs. As a result, the iFix may already be installed, If you are unsure as to whether or not it is installed, you can check by using the IM command line:
      imcl listInstalledPackages -long
    Note: PM53930 is included in 8.0.0.3, and later, and as a result does not require the Interim Fix to be installed.

    For V7.0:
    For V7.0.0.1 through 7.0.0.21: --OR-- For V6.1 through 6.1.0.1:
    For V6.1.0.3 through 6.1.0.41: --OR--
    For V6.0 through 6.0.2.9:
    For V6.0.2.11 through 6.0.2.43:
    Note: Version 6.0 is no longer in service (ended 30 September 2010).

For WebSphere Application Server for z/OS operating systems:

    For V8.0 through 8.0.0.2: --OR--
    • Install Fix Pack 3 (8.0.0.3), or later (targeted to be available mid April 2012).
    Note: The new APAR, PM57565, is replacing PM53930. PM57565 is a Version 8 ifix only replacement for PM53930 and is only required if trace is turned on. If so, the following exception:
      java.lang.UnsupportedOperationException: SRVE8020E: Servlet does not accept multipart requests
    may appear in the Servant Region SYSPRINT. Therefore, PM57565 is only required to correct an erroneous exception in the log file. It is not a functional problem.
    Note: If you use the Web-based ("live") repository provided by IBM, Install Manager (IM) will, by default, pick up any recommended iFixes when installing WebSphere Application Server V8 or any of its V8 Service Fix Packs. As a result, the iFix may already be installed, If you are unsure as to whether or not it is installed, you can check by using the IM command line:
    imcl listInstalledPackages -long
      Note: PM53930 is included in 8.0.0.3, and later, and as a result does not require the Interim Fix to be installed.

    For V7.0 through 7.0.0.21:
    • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM55522
    • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
    --OR--
    For V6.1 through 6.1.0.41:
    • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM55706.
    • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
    --OR--
    For V6.0 throu gh 6.0.2.43 (includes 6.0.0.1, 6.0.0.2, 6.0.0.3, 6.0.1.1, 6.0.1.2, and 6.0.2 through 6.0.2.43): Note: Version 6.0 is no longer in service (ended 30 September 2010).
For additional details and information on WebSphere Application Server product updates:

REFERENCES:
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Change History
17 Jan 2012 Flash published.
19 Jan 2012 Updated V7.0 APAR Interim Fix for Fix Pack level availability.
Updated link to 77298 for ISS Xforce reference.
20 Jan 2012 Updated V6.1 APAR Interim Fix for Fix Pack level availability for both Distributed systems and i systems.
26 Jan 2012 For Distributed systems: Updated minimum Fix Pack required for fix install for V6.1, from Fix Pack 11 (V6.1.0.11) to Fix Pack 3 (V6.1.0.3).
Updated minimum Fix Pack required for fix install for V7.0, from Fix Pack 3 (V7.0.0.3) to Fix Pack 1 (V7.0.0.1).
For i Systems: Updated V6.1 and V7.0 minimum Fix Packs as well.
12 Mar 2012 PM57565 added, and supercedes PM53930, for WAS v8.0.x Interim Fix APAR only.


Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Servlet Engine/Web Container z/OS, OS/390 8.0.0.1, 8.0, 7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.19, 7.0.0.17, 7.0.0.15, 7.0.0.13, 7.0.0.11, 7.0.0.1, 7.0, 6.1.0.9, 6.1.0.8, 6.1.0.7, 6.1.0.6, 6.1.0.5, 6.1.0.41, 6.1.0.4, 6.1.0.3, 6.1.0.22, 6.1.0.21, 6.1.0.20, 6.1.0.2, 6.1.0.18, 6.1.0.16, 6.1.0.14, 6.1.0.11, 6.1.0.10, 6.1.0.1, 6.1, 6.0.2.30, 6.0.2.28, 6.0.2.26, 6.0.2, 6.0.1, 6.0
Application Servers WebSphere Application Server Hypervisor Edition AIX, Linux 7.0, 6.1 All Editions
Application Servers WebSphere Application Server Hypervisor Edition for AIX AIX 6.0.0.1, 6.1, 7.0, 8.0 All Editions
Application Servers WebSphere Application Server Hypervisor Edition for Red Hat Enterprise Linux Server Linux Red Hat - iSeries, Linux Red Hat - pSeries, Linux Red Hat - xSeries, Linux Red Hat - zSeries 6.1, 7.0, 7.0.0.4, 7.0.0.6, 8.0, 8.0.2 All Editions

Document information

More support for: WebSphere Application Server
Servlet Engine/Web Container

Software version: 6.0, 6.0.0.2, 6.0.0.3, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.3, 6.0.2.4, 6.0.2.5, 6.0.2.6, 6.0.2.7, 6.0.2.8, 6.0.2.9, 6.0.2.11, 6.0.2.13, 6.0.2.15, 6.0.2.17, 6.0.2.19, 6.0.2.21, 6.0.2.23, 6.0.2.25, 6.0.2.27, 6.0.2.29, 6.0.2.31, 6.0.2.33, 6.0.2.35, 6.0.2.37, 6.0.2.39, 6.0.2.41, 6.0.2.43, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.5, 6.1.0.7, 6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.14, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31, 6.1.0.33, 6.1.0.35, 6.1.0.37, 6.1.0.39, 6.1.0.41, 6.1.1, 6.1.1.1, 6.1.1.2, 6.1.1.3, 6.1.1.4, 6.1.1.5, 6.1.1.6, 6.1.1.7, 6.1.1.8, 6.1.1.9, 6.1.1.10, 7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9, 7.0.0.11, 7.0.0.13, 7.0.0.15, 7.0.0.17, 7.0.0.19, 8.0, 8.0.0.1

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Base, Developer, Express, Network Deployment

Reference #: 1577532

Modified date: 13 March 2012