IBM Support

Security Bulletin: Fix Available for Security Vulnerability in IBM WebSphere Portal (CVE-2014-8912)

Security Bulletin


Summary

A fix is available for a security vulnerability in IBM WebSphere Portal (CVE-2014-8912).

Vulnerability Details

CVEID: CVE-2014-8912
DESCRIPTION:
IBM WebSphere Portal could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within web applications. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99253 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM WebSphere Portal 8.5

IBM WebSphere Portal 8.0

IBM WebSphere Portal 7.0

IBM WebSphere Portal 6.1

Remediation/Fixes

Remediate the issue by executing the following three steps. They include the installation of PI47714, which introduces a framework to control resource serving via the RES data source based on black/white lists, and configuration of the black/white lists.

Step 1 (Apply PI47714):
Apply an Interim Fix or a Cumulative Fix containing PI47714.

For 8.5.0


For 8.0.0 through 8.0.0.1
  • Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 18 (CF18) and then apply the Interim Fix PI47714. Then continue with Step 2 and 3.
--or--
For 7.0.0 through 7.0.0.2
  • Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 29 (CF29) and then apply the Interim Fix PI47714. Then continue with Step 2 and 3.
--or--
For 6.1.5.0 through 6.1.5.3
For 6.1.0.0 through 6.1.0.6
Step 2 (Black/white list settings for custom web applications):
Adjust black/white list settings for your custom web applications (custom themes, custom portlets, ..). Only custom web applications need to be adjusted, which are serving resources addressed via the RES data source. You can identify the actual resource serving that happens during regular usage and adjust black/white list settings based on log messages.

After installation of PI47714, log messages in the SystemOut.log like this indicate actual resource serving of resources within web applications, as it occurs:
[10/5/15 8:00:00:000 EDT] 0000000a AbstractReque W com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory matchesWebAppDefault(aResource) Servlet context [/wps/PA_My_Web_App] does not specify a blackwhite list when accessing resource [css/my.css], falling back to the default [[(null), (WEB-INF/.*)]]. Applications can define a custom list by adding the keys [com.ibm.portal.resource.whitelist] and [com.ibm.portal.resource.blacklist] to their web.xml deployment descriptor.
(NOTE: Depending on your usage scenario, these log messages can fill your SystemOut.log file and cause a significant performance penalty. After the black/white list settings for your custom web applications are specified as described below, they will no longer occur. If you need to mute the log messages temporarily until you specified black/white list settings you can do so by setting this trace level: com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory=off)

For each resource mentioned in the log messages you need to decide, whether this is intended access. For the resources within a web application you can define the access based on black/white lists in two ways:
    A) via a context parameter in the web.xml of the web application,
    B) via Resource Environment Provider settings.
Option A) is recommended, option B) can be used as fallback, in case updates of the web applications are not possible.

Details on option A):

A context parameter defines which files from your web module is served via the RES data source.

Define a whitelist using a regular expression that matches the files that you want to make available. In addition, with a blacklist you remove certain entries from the set of files that are available in the whitelist. A blacklist is helpful if you want to serve a folder but not a certain file within that folder.

The expressions are case-sensitive, for example WEB-INF is different from Web-Inf.

The parameters com.ibm.portal.resource.whitelist and com.ibm.portal.resource.blacklist are set in the web.xml file of the web module (Note: they differ from com.ibm.portal.whitelist and com.ibm.portal.blacklist, potentially already existing in the web.xml due to unrelated settings for the war datasource). The web module needs to be redeployed before the changes take effect.

Sample of option A):
Serve all files that are not part of the WEB-INF folder.

<web-app>
...
    <context-param>
      <description>A regular expression that defines which of the resources in the war file can be served by the portal res datasource.</description>
      <param-name> com.ibm.portal.resource.whitelist</param-name>
      <param-value>.*</param-value>
    </context-param>
    <context-param>
      <description>A regular expression that defines which of the resources in the war file cannot be served by the portal res datasource.</description>
      <param-name> com.ibm.portal.resource.blacklist</param-name>
      <param-value>WEB-INF/.*</param-value>
    </context-param>
...
</web-app>


Details on option B):

Resource Environment Provider custom properties define which files from your web module are served via the RES data source.

For each web application define three custom properties in the Resource Environment Provider 'WP ConfigService'. The property name part '<your_key_for_web_app>' is used during parsing to identify the three properties belonging together for one web application, so you need to use a new key for each web application for that you specify the three properties. All three properties are required, you can neither skip the blacklist nor the whitelist property. The server needs to be restarted before the changes take effect.
Name Value
com.ibm.portal.resource.<your_key_for_web_app>.contextroot The context root under which the war file is deployed. You can use the variable '${URI_CONTEXT_PATH}' to avoid hard reference to the context root, which can be changed with features like Search Engine Optimization or Renaming of the context root. The variable '${URI_CONTEXT_PATH}' would resolve in the out of the box setup to '/wps'.

Note: The messages in the SystemOut.log contain information that help you determine this value. See the sample for details.
com.ibm.portal.resource.<your_key_for_web_app>.whitelist A regular expression that defines which of the resources in the war file can be served by the portal res datasource.
com.ibm.portal.resource.<your_key_for_web_app>.blacklist A regular expression that defines which of the resources in the war file cannot be served by the portal res datasource.


Sample of option B):

Assume the SystemOut.log contains this log message:
[10/5/15 8:00:00:000 EDT] 0000000a AbstractReque W com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory matchesWebAppDefault(aResource) Servlet context [/wps/PA_My_Web_App] does not specify a blackwhite list when accessing resource [css/my.css], ..
In order to serve all files that are not part of the WEB-INF folder, you would:
  • First choose an arbitrary property name part to be used for all three required properties. E.g. in this case 'my_web_app_1'. Now you need to define three properties with my_web_app_1 in it: 'com.ibm.portal.resource.my_web_app_1.contextroot', 'com.ibm.portal.resource.my_web_app_1.whitelist', and 'com.ibm.portal.resource.my_web_app_1.blacklist'.
  • Second determine the value for property 'com.ibm.portal.resource.my_web_app_1.contextroot' by leveraging information from the message (.. Servlet context [/wps/PA_My_Web_App] does..). The value '/wps/PA_My_Web_App' would work. Better is to use '${URI_CONTEXT_PATH}/PA_My_Web_App', as it would continue to work in case of a potential future context root change.
  • Third define value 'com.ibm.portal.resource.my_web_app_1.whitelist' as '.*' (all files) and 'com.ibm.portal.resource.my_web_app_1.blacklist' as 'WEB-INF/*' (block this folder).
This would result in these three sample custom properties in the Resource Environment Provider 'WP ConfigService'.
Name Value
com.ibm.portal.resource.my_web_app_1.contextroot ${URI_CONTEXT_PATH}/PA_My_Web_App
com.ibm.portal.resource.my_web_app_1.whitelist .*
com.ibm.portal.resource.my_web_app_1.blacklist WEB-INF/.*



Step 3 (Fallback configuration)
Set the fallback for web applications, that were not covered in step 2 and do not specify a black white list, to block always. This step is important to complete the remediation.

Define a custom property in the Resource Environment Provider 'WP ConfigService':

Name Value
com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist .*

Note: It is possible to do step 3 before step 2. But depending on your setup, this can lead up to major functional regression.
Note: IBM changed the default value for com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist to .* in later Cumulative Fixes. This has been done by APAR PI65954 contained in IBM WebSphere Portal 8.5 CF12 and IBM WebSphere Portal 8.0 CF22.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

22 October 2015: Original Version Published
13 November 2015: Clarifications in Remediation/Fixes section
23 November 2015: Clarifications in Remediation/Fixes section, description of log message disablement
27 November 2015: Clarifications in Remediation/Fixes section, more sample details, added 8001 Cumulative Fix CF19
12 September 2016: Information about PI65954 in IBM WebSphere Portal 8.5 CF12 (secure default)
13 October 2016: Enhanced web.xml parameter description
19 June 2017: Information about PI65954 in IBM WebSphere Portal 8.0 CF22 (secure default)

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: WebSphere Portal

Software version: 6.1, 7.0, 8.0, 8.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1963226

Modified date: 22 August 2017