Security Bulletin: Rational Automation Framework Environment Wizard Vulnerability (CVE-2012-4816)

Security Bulletin

Summary

Accessing the IBM Rational Automation Framework web user interface via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.

Vulnerability Details

	Subscribe to My Notifications to be notified of important product support alerts like this. Follow this link for more information (requires login with your IBM ID)

CVEID: CVE-2012-4816

Description:
Accessing the Rational Automation Framework (RAF) web UI via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.

CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78379 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Rational Automation Framework 3.0 and later on all supported platforms.

Remediation/Fixes

None

Workarounds and Mitigations

Workaround(s):

Environment Generation Security Patch for Tomcat

1. Modify the files below to fix the Env Gen Wizard default access without login.

Path: C:\IBM\\Apache\tomcat\conf
File: tomcat-users.xml

Add user profile between the <tomcat-users> tag
<role rolename="admin"/>
<user username="admin" password="test123" roles="admin"/>

2. Add the below components above the </web-app> tag

Path: C:\IBM\Apache\tomcat\webapps\rafw\WEB-INF
File: Web.xml
<security-role>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>


<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>


<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Secure Area</realm-name>
</login-config>

3. Restart BuildForge.

Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)

Update the web.xml File

1. There are two copies of the web.xml file, located in the following directories:

/WAS_install_root/installedApps/<cellname>/rweb.ear/rweb.war/WEB-INF/web.xml

/WAS_install_root/config/cells/<cellname>/applications/rweb.ear/deployments/rweb/rweb.war/WEB-INF/web.xml

Note: If this is a WebSphere Application Server Network Deployment, there is an additional web.xml that must be updated:

/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/<dellname>/applications/rweb_war.ear/deployments/rweb_war/rweb.war/web.xml

2. Insert the below basic authentication and security role to the three web.xml files

<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Security constraint for Env Gen</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>

3. Enable WebSphere Application Server security:

Open WebSphere Administrative console using the url http://:/ibm/console

In the WebSphere Application Server administrative console, click Security > Global Security.
Select Enable administrative security.
Ensure Enable application security is selected

4. Map Security Roles in Web.xml to WAS Manage User/Group.

Select Application > WebSphere Enterprise Applications > Rational Automation Framework
Under the Detailed Properties section you will see a link Security role to user/group mapping.
The link will appear only if your web.xml is setup correctly click the Security role to user/group mapping
Select the roles you wish to use for authentication
Click on Map Users or Map groups
Click search and select users (that are setup in your websphere under Users and Groups menu)
Use the arrows to move the selected users/groups to the right hand box
Click ok and save to master configuration.

Use: https://:9443/rbf-services/LoginServlet if there is any problem in RAF server auto-redirect.

Try logging in using default WAS port : http://:9080/rafw/env

Mitigation(s):

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Acknowledgement

None

Change History

* 14 December 2012 - Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSWJ96","label":"Rational Automation Framework"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"3.0;3.0.0.1;3.0.0.2;3.0.0.3;3.0.0.4;3.0.0.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: Rational Automation Framework Environment Wizard Vulnerability (CVE-2012-4816)