Security Bulletin
Summary
IBM® SDK Java™ Technology Edition released by IBM and Oracle JDKs have made a change to the default socket permissions in the java.policy file.
Vulnerability Details
IBM® SDK Java™ Technology Edition released by IBM and the Oracle JDK's have made a change to the default socket permissions in the java.policy file. These changes are documented by Oracle in the Change in Default Socket Permissions section of the Release Notes at the following location:http://www.oracle.com/technetwork/java/javase/7u51-relnotes-2085002.html
The java policy file has changed as indicated below:
Old java.policy file:
permission java.net.SocketPermission "localhost:1024-", "listen";
New java.policy file:
permission java.net.SocketPermission "localhost:0", "listen";
permission java.net.SocketPermission "localhost:1099", "listen";
These changes affect WebSphere Application Server in the following ways:
- For IBM i
- WebSphere Application Server on IBM i uses the system SDK. After updating to the specified SDK, and if Java 2 security is enabled, and if WebSphere Application Server or its applications open a socket with a port number greater than 1024, you may now see a java.security.AccessControlException.
- For all other platforms
- WebSphere Application Server has a locally owned SDK. The java.policy file changes were not made to Application Server's SDK. No action is needed to continue with the same behavior. See the remediation section for more details.
Affected Products and Versions
These changes affect the following IBM Java SDK releases that WebSphere Application Server ship:
IBM Java SDK Version 7R1 Service Refresh 1 or later - shipped with WebSphere Application Server Version 8.5.5
IBM Java SDK Version 7 Service Refresh 7 or later - shipped with Websphere Application Server Version 8.5.5
IBM Java SDK Version 6R1 Service Refresh 8 or later - shipped with WebSphere Application Server Version 8.5.5 and 8.0
IBM Java SDK Version 6 Service Refresh 16 or later - shipped with WebSphere Application Server Version 7.0
IBM Java SDK Version 5 Service Refresh 16 Fix Pack 6 or later - shipped with WebSphere Application Server Version 6.1
Remediation/Fixes
For IBM i - you may do one of the following:
- You may add specific permissions to the Application Servers server.policy file. This policy file, located in /WAS_HOME/properties/ , is merged with the system wide java.policy file to define permissions for JVMs started by WebSphere Application Server.
- You may revert the changes in the java.policy file, which would affect all JVMs started with the system wide SDK.
- If you would like to restrict the Application Server's socket permissions to the same level as the IBM and Oracle SDKs, you may update the Application Server's java.policy file with the new permissions
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Change History
06 August 2014: original document published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21679779