Potential security vulnerability when using Web based applications on IBM WebSphere Application Server due to Java HashTable implementation vulnerability (PM53930/PM57565)

Flash (Alert)


Abstract

Potential Denial of Service (Dos) security exposure when using Web based applications like Mashup Center due to JavaHashTable implementation vulnerability.

This technote is based on Flash #1577532 and supplies additional details specific to releases of IBM Mashup Center. Refer to the original document (see: 'Related information' section) for complete information about this potential problem.

Content

Solution:

Refer to the original notification posted by the Websphere team for complete information: Potential security vulnerability when using Web based application.

Fix information relevant to Mashup Center is located in section:  For IBM WebSphere Application Server for distributed operating systems  
subsection: For V7.0 through 7.0.0.21:

The current recommended action for Mashup Center is to install Interim Fix APAR PM53930

Check the source document for changes.

Websphere Fix Pack 23 (7.0.0.23) has not been tested with Mashup Center and so the alternate recommendation of upgrading to 7.0.0.23 is not recommended.

APAR PM53930 Overview:

WebContainer code has been updated to mitigate this vulnerability.

There is a new property that can be used in conjunction with this fix:

com.ibm.ws.webcontainer.maxParamPerRequest

You can use this property to change the maximum number of parameters allowed in your inbound requests, based on your applications and environment. The maximum number of parameters allowed per inbound request (GET or POST) defaults to 10000.

Applying Websphere Fixes:

The following is a task check list to assist IBM Mashup Center administrators not familiar with applying WebSphere interim fix APARs. Refer to the information in the Websphere Application Server support Flash document and the Websphere InfoCenter for complete information.

  • If you have not applied a WebSphere update before you will need to download and install the folders of the IBM WebSphere Update Installer V7.0.0.15 or later. See link the Related Items section.
  • Obtain your current Websphere version by running the command file: versioninfo.[bat|sh]. This is located in: <IMC-install>/Appserver/bin.
  • Use the link in the Websphere Application Server support Flash document to download the interim fix APAR file for your Websphere version into the maintenance folder in the Update Installer installation.
  • Run the Update Installer (update.[bat | sh]). This process requires you to identify the AppServer directory of your Mashup Center installation and then interim fix APAR PAK file you downloaded.
  • Restart the Server when the update is complete.

Related information

Corrective action - Flash 1577532
Websphere Update Installer

Cross reference information
Segment Product Component Platform Version Edition
Software Development Lotus Mashups Not Applicable AIX, Linux, Windows Version Independent All Editions
Software Development IBM Mashup Center Not Applicable AIX, Linux, Windows 3.0.0.1, 3.0, 2.0, 1.1 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

InfoSphere MashupHub
Application server

Software version:

1.1, 2.0, 3.0

Operating system(s):

AIX, Linux, Windows

Software edition:

All Editions

Reference #:

1592923

Modified date:

2012-05-01

Translate my page

Machine Translation

Content navigation