Potential Denial of Service (Dos) security exposure when using Web based applications like Mashup Center due to JavaHashTable implementation vulnerability.
This technote is based on Flash #1577532 and supplies additional details specific to releases of IBM Mashup Center. Refer to the original document (see: 'Related information' section) for complete information about this potential problem.
Refer to the original notification posted by the Websphere team for complete information: Potential security vulnerability when using Web based application.
Fix information relevant to Mashup Center is located in section: For IBM WebSphere Application Server for distributed operating systems
subsection: For V7.0 through 18.104.22.168:
The current recommended action for Mashup Center is to install Interim Fix APAR PM53930
Check the source document for changes.
Websphere Fix Pack 23 (22.214.171.124) has not been tested with Mashup Center and so the alternate recommendation of upgrading to 126.96.36.199 is not recommended.
APAR PM53930 Overview:
WebContainer code has been updated to mitigate this vulnerability.
There is a new property that can be used in conjunction with this fix:
You can use this property to change the maximum number of parameters allowed in your inbound requests, based on your applications and environment. The maximum number of parameters allowed per inbound request (GET or POST) defaults to 10000.
Applying Websphere Fixes:
The following is a task check list to assist IBM Mashup Center administrators not familiar with applying WebSphere interim fix APARs. Refer to the information in the Websphere Application Server support Flash document and the Websphere InfoCenter for complete information.
- If you have not applied a WebSphere update before you will need to download and install the folders of the IBM WebSphere Update Installer V188.8.131.52 or later. See link the Related Items section.
- Obtain your current Websphere version by running the command file: versioninfo.[bat|sh]. This is located in: <IMC-install>/Appserver/bin.
- Use the link in the Websphere Application Server support Flash document to download the interim fix APAR file for your Websphere version into the maintenance folder in the Update Installer installation.
- Run the Update Installer (update.[bat | sh]). This process requires you to identify the AppServer directory of your Mashup Center installation and then interim fix APAR PAK file you downloaded.
- Restart the Server when the update is complete.
|Software Development||Lotus Mashups||Not Applicable||AIX, Linux, Windows||Version Independent||All Editions|
|Software Development||IBM Mashup Center||Not Applicable||AIX, Linux, Windows||184.108.40.206, 3.0, 2.0, 1.1||All Editions|