Security Bulletin: Rational Automation Framework Environment Wizard Vulnerability (CVE-2012-4816)

Security Bulletin


Summary

Accessing the IBM Rational Automation Framework web user interface via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVEID: CVE-2012-4816

Description:
Accessing the Rational Automation Framework (RAF) web UI via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.

CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/78379 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Rational Automation Framework 3.0 and later on all supported platforms.

Remediation/Fixes

None

Workarounds and Mitigations

Workaround(s):

Environment Generation Security Patch for Tomcat


1. Modify the files below to fix the Env Gen Wizard default access without login.

Path: C:\IBM\\Apache\tomcat\conf
File: tomcat-users.xml

Add user profile between the <tomcat-users> tag

   <role rolename="admin"/>

    <user username="admin" password="test123" roles="admin"/>

2. Add the below components above the </web-app> tag

Path: C:\IBM\Apache\tomcat\webapps\rafw\WEB-INF
File: Web.xml

<security-role>

    <role-name>admin</role-name>
</security-role>

<security-constraint>
    <display-name>Environment Generation</display-name>
    <web-resource-collection>
        <web-resource-name>Administration</web-resource-name>
        <url-pattern>/rafw/*</url-pattern>
    </web-resource-collection>

    <!-- Only administrators can access this resource -->
    <auth-constraint>
        <role-name>admin</role-name>
    </auth-constraint>
<user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

<!-- Use BASIC security -->
<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>Secure Area</realm-name>
</login-config>

3. Restart BuildForge.


Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)

Update the web.xml File

1. There are two copies of the web.xml file, located in the following directories:

/WAS_install_root/installedApps/<cellname>/rweb.ear/rweb.war/WEB-INF/web.xml

/WAS_install_root/config/cells/<cellname>/applications/rweb.ear/deployments/rweb/rweb.war/WEB-INF/web.xml

Note: If this is a WebSphere Application Server Network Deployment, there is an additional web.xml that must be updated:

/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/<dellname>/applications/rweb_war.ear/deployments/rweb_war/rweb.war/web.xml

2. Insert the below basic authentication and security role to the three web.xml files

<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Security constraint for Env Gen</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>

3. Enable WebSphere Application Server security:

Open WebSphere Administrative console using the url http:// : /ibm/console

  • In the WebSphere Application Server administrative console, click Security > Global Security.
  • Select Enable administrative security.
  • Ensure Enable application security is selected




4. Map Security Roles in Web.xml to WAS Manage User/Group.
  • Select Application > WebSphere Enterprise Applications > Rational Automation Framework
  • Under the Detailed Properties section you will see a link Security role to user/group mapping.
    The link will appear only if your web.xml is setup correctly click the Security role to user/group mapping
  • Select the roles you wish to use for authentication
  • Click on Map Users or Map groups
  • Click search and select users (that are setup in your websphere under Users and Groups menu)
  • Use the arrows to move the selected users/groups to the right hand box
  • Click ok and save to master configuration.

Use: https:// :9443/rbf-services/LoginServlet if there is any problem in RAF server auto-redirect.


Try logging in using default WAS port : http:// :9080/rafw/env



Mitigation(s):
None

References

Related information

Acknowledgement

None

Change History

* 14 December 2012 - Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational Automation Framework
General Information

Software version:

3.0, 3.0.0.1, 3.0.0.2, 3.0.0.3, 3.0.0.4, 3.0.0.5

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1620359

Modified date:

2012-12-19

Translate my page

Machine Translation

Content navigation