Security Bulletin: Rational Automation Framework Environment Wizard Vulnerability (CVE-2012-4816)
Accessing the IBM Rational Automation Framework web user interface via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.
|Subscribe to My Notifications to be notified of important product support alerts like this.
Accessing the Rational Automation Framework (RAF) web UI via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78379 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
Rational Automation Framework 3.0 and later on all supported platforms.
Workarounds and Mitigations
Environment Generation Security Patch for Tomcat
1. Modify the files below to fix the Env Gen Wizard default access without login.
Add user profile between the <tomcat-users> tag
<user username="admin" password="test123" roles="admin"/>
2. Add the below components above the </web-app> tag
<!-- Only administrators can access this resource -->
<!-- Use BASIC security -->
3. Restart BuildForge.
Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)
Update the web.xml File
1. There are two copies of the web.xml file, located in the following directories:
Note: If this is a WebSphere Application Server Network Deployment, there is an additional web.xml that must be updated:
2. Insert the below basic authentication and security role to the three web.xml files
<web-resource-name>Security constraint for Env Gen</web-resource-name>
3. Enable WebSphere Application Server security:
Open WebSphere Administrative console using the url http://
- In the WebSphere Application Server administrative console, click Security > Global Security.
- Select Enable administrative security.
- Ensure Enable application security is selected
4. Map Security Roles in Web.xml to WAS Manage User/Group.
- Select Application > WebSphere Enterprise Applications > Rational Automation Framework
- Under the Detailed Properties section you will see a link Security role to user/group mapping.
The link will appear only if your web.xml is setup correctly click the Security role to user/group mapping
- Select the roles you wish to use for authentication
- Click on Map Users or Map groups
- Click search and select users (that are setup in your websphere under Users and Groups menu)
- Use the arrows to move the selected users/groups to the right hand box
- Click ok and save to master configuration.
Get Notified about Future Security Bulletins
ReferencesComplete CVSS v2 Guide
On-line Calculator v2
Related informationIBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
* 14 December 2012 - Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Rational Automation Framework
Software version: 3.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
Operating system(s): AIX, Linux, Solaris, Windows
Reference #: 1620359
Modified date: 19 December 2012
Translate this page: