Potential security exposure with IBM Rational Developer for System z after installing PM44303 for WebSphere Application Server

Flash (Alert)


Abstract

After installing the WebSphere Application Server Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM Rational Developer for System z.

Content

VULNERABILITY DETAILS

CVE ID:
CVE-2012-3325 (PM71296)

DESCRIPTION:

If you have installed an Interim Fix for PM44303 or a Fix Pack listed above, you have the potential for an authenticated user to bypass security restrictions, caused by an error when validating user credentials. This could allow a user to gain unauthorized administrative access to an application and potentially gain access to confidential and critical customer data.

CVSS:

CVSS Base Score: 6.0
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/77959 for the current score
CVSS Environmental Score*: undefined
CVSS String:
(AV:N/AC:M/Au:S/C:P/I:P/A:P)

AFFECTED PLATFORMS:

The problem affects the following IBM WebSphere Application Server z/OS platform Versions and IBM WebSphere Application Server Hypervisor Edition included in the IBM Rational Developer for System z package with:

  • Version 6.1.0.43
  • Version 7.0.0.21 through 7.0.0.23
  • Version 8.0.0.2 through 8.0.0.4
  • Version 8.5.0.0 (Full Profile only)

The problem does not occur on the following versions:
  • Version 6.0.2
  • Version 6.1.0.0 through 6.1.0.41
  • Version 7.0.0.0 through 7.0.0.19
  • Version 8.0.0.0 through 8.0.0.1
  • Version 8.5.0.0 (Liberty Profile only)

REMEDIATION:

Apply Interim Fix PM71296, or a Fix Pack containing the APAR, as noted below.

For IBM WebSphere Application Server for distributed operating systems and IBM WebSphere Application Server Hypervisor Edition:

For V8.5.0.0 Full Profile: --OR--
  • Apply Fix Pack 1 (8.5.0.1), or later (targeted to be available end of October 2012).
For 8.0.0.2 through 8.0.0.4: --OR--
  • Apply Fix pack 5 (8.0.0.5) or later (targeted to be available mid-November 2012).

For V7.0.0.21 through 7.0.0.23:
--OR--
  • Apply Fix pack 25 (7.0.0.25) or later (targeted to be available late September 2012).
For V6.1.0.43: --OR--
  • Apply Fix pack 45 (6.1.0.45) or later (targeted to be available late September 2012).

For WebSphere Application Server for z/OS operating systems:
For V8.5.0.0 Full Profile: --OR--
  • Apply Fix Pack 1 (8.5.0.1), or later (targeted to be available end of October 2012).

For V8.0.0.2 through 8.0.0.4:
--OR--
  • Apply Fix Pack 5 (8.0.0.5) or later (targeted to be available mid November 2012).

For z/OS operating systems Version 7 and Version 6.1


++APAR : You can apply the appropriate prebuilt ++APAR below or open a PMR (Problem Management Record) with IBM WebSphere Application Server for z/OS Technical support to request a custom-built ++APAR.

For V7.0.0.23:
  • Download and apply ++APAR BM71296
--OR--
  • Apply APAR PM71296 by installing PTFs for Fix Pack 25 (7.0.0.25) or later (targeted to be available late September 2012).

For V7.0.0.21:
  • Download and apply ++APAR CM71296
--OR--
  • Apply APAR PM71296 by installing PTFs for Fix Pack 25 (7.0.0.25) or later (targeted to be available late September 2012).

For V6.1.0.43:
  • Download and apply ++APAR AM71462. The ++APAR AM71462 will install for 6.1.0.43 Base Edition, or for WebSphere Application Server V6.1 Feature Pack for EJB 3.0 on z/OS or WebSphere Application Server V6.1 Feature Pack for Web Services on z/OS.
--OR--
  • Apply APAR PM71462 by installing PTFs for Fix Pack 45 (6.1.0.45) or later (targeted to be available late September 2012).

Note:
Customers that require a fix at a different WebSphere service level not mentioned above, or those who are running with a service level mentioned above but also have an existing ++APAR, will need to open a PMR to work with IBM Technical Support personnel to determine the best method for providing a fix for their system. Be prepared to provide to IBM your current service level, and any existing ++APARs that are already received/applied to your system.

Instructions for installing ++APARs:

1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH 1024 data set.
2. Force these DCB attributes using the following TSO FTP client command right before the GET command:

LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0

If the ++APAR is quite large, then you can also pass along data set allocation information on the LOCSITE command. The example below gives the ++APAR file 300 cylinders in its primary and secondary extents.

These numbers are just examples:

LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL

3. UNTERSE the file
4. SMP/E RECEIVE and APPLY the ++APAR
5. You must SMP/E RESTORE OFF the ++APAR before installing further WebSphere maintenance.

FIX:
Update per the steps in the REMEDIATION section.

WORK AROUND:
None.

MITIGATION:
None.

Additional documentation:
For additional details and information on WebSphere Application Server product updates:



RELATED INFORMATION:
https://www-304.ibm.com/connections/blogs/PSIRT/?lang=en_us
http://www.first.org/cvss/cvss-guide.html


ACKNOWLEDGEMENT:
None.


CHANGE HISTORY:
None.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Rate this page:

(0 users)Average rating

Document information


More support for:

Rational Developer for System z
Setup / Configure

Software version:

7.1, 7.5, 7.5.1, 7.5.1.3, 7.5.1.4, 7.6, 7.6.1, 7.6.2, 7.6.2.2, 7.6.2.3, 7.6.2.4, 8.0.1, 8.0.2, 8.0.3, 8.0.3.1, 8.0.3.2, 8.0.3.3, 8.5, 8.5.0.1, 8.5.1

Operating system(s):

AIX, Linux, Windows, z/OS

Reference #:

1616337

Modified date:

2012-11-27

Translate my page

Machine Translation

Content navigation