Potential security exposure within Information Server after installing an application server update PM44303
The affected WebSphere Application Server releases have the potential for an authenticated user to bypass security restrictions, caused by an error when validating user credentials. This could allow a user to gain unauthorized administrative access to an application and potentially gain access to confidential and critical customer data.
InfoSphere Information Server 8.5 or 8.7 releases could be affected if you have applied Interim Fix for PM44303, or one of the following WebSphere Application Server Fix Packs containing PM44303:
- Version 18.104.22.168
- Version 22.214.171.124 through 126.96.36.199
More detailed information regarding this security issue is available in technote 1609067 for WebSphere Application Server (WAS), located in the related information section below.
The Information Server 8.0.1 and Information Server 8.1 releases are not affected, as both of these depend on WebSphere Application Server 6.0.2.x releases.
Step 1. Determine your WebSphere Application Server Version
The first few lines in the SystemOut.log file will tell you the exact version of WebSphere Application Server (WAS) that is being used, as show in the sample given here:
************ Start Display Current Environment ************
WebSphere Platform 188.8.131.52 [ND 184.108.40.206 cf171115.15] running with process name TestMachineNode01Cell\TestMachineNode01\server1 and process id 1556
In this sample above, the exact version is 220.127.116.11. The location of this file will vary based on the platform and choice of installation directory by the user. The default value will usually be something similar to:
Step 2. Locate the version in the WAS Technote 1609067 and then choose a fix method
You can either install the individual APAR fixes which are identified in the technote, or alternatively you can install the necessary WebSphere Application Server fixpack which contains the fix.