IBM Support

IBM WebSphere Portal (8.5 CF12 / 8.0 CF22) introduces secure default settings for CVE-2014-8912

Flash (Alert)


Abstract

IBM WebSphere Portal 8.5 CF12 and IBM WebSphere Portal 8.0 CF22 introduce secure default settings for CVE-2014-8912. This requires explicit choice of black/whitelist settings for your custom web applications (e.g. custom portlets or custom themes) which make use of the RES datasource to avoid functional regression.

Content

IBM WebSphere Portal 8.5 CF12 / 8.0 CF22 contains a security fix (PI65954) related to CVE-2014-8912 (For details on this vulnerability and remediation see security bulletin http://www-01.ibm.com/support/docview.wss?uid=swg21963226). Similar to APAR PI47714 (contained in IBM WebSphere Portal 8.5 CF8 / 8.0 CF19), this APAR warns and then blocks access via the RES datasource to files in a web application that does not have a blacklist or whitelist. The difference between PI47714 and PI65954 is that the default value for the blacklist is now ".*" instead of "WEB-INF/.*" which is much more restrictive than before.
This secure default requires explicit choice of black/whitelist settings for your custom web applications (e.g. custom portlets or custom themes) which make use of the RES datasource to avoid functional regression. As preparation before applying 8.5 CF12 / 8.0 CF22 it is recommended to address any log message related to CVE-2014-8912 that occurs during regular usage related to custom web applications. Relevant log messages are issued after application of PI47714 (contained in 8.5 CF8 / 8.0 CF19) for any access via the RES datasource like this:

[10/5/15 8:00:00:000 EDT] 0000000a AbstractReque W com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory matchesWebAppDefault(aResource) Servlet context [/...] does not specify a blackwhite list when accessing resource [...], falling back to the default [[whitelist(null), blacklist(.*)]]...

If you have applied PI47714 (contained in 8.5 CF8 / 8.0 CF19) already, and log statements like this occur, then functional issues are expected after applying PI65954 (contained in 8.5 CF12 / 8.0 CF22). This issues would remain, until the log messages are addressed. If log messages exist, your applications can define a custom blacklist or whitelist list by adding the keys 'com.ibm.portal.resource.whitelist' and 'com.ibm.portal.resource.blacklist' to their web.xml deployment descriptor. You must redeploy your custom theme or portlet for these changes to take effect. Details on the action required for the custom code mentioned in these messages and the setting of a default value for the blacklist can be found in the security bulletin ( http://www-01.ibm.com/support/docview.wss?uid=swg21963226).


Temporary workaround (not recommended and not secure)

Alternatively, as a temporary workaround (not recommended and not secure) in case of functional regression after application of 8.5 CF12 / 8.0 CF22, you can define a different default value for the blacklist and change the behavior back as it was prior to PI65954. This can be achieved by defining a custom property in the Resource Environment Provider 'WP ConfigService':
Name Value
com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist WEB-INF/.*

Detailed steps:
  1. Login to the DMGR / WAS Admin Console.
  2. Navigate to Resources > Resource Environment > Resource Environment Providers > WP ConfigService
  3. Create a new custom property
    Name: com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist
    Value: WEB-INF/.*
    Type: java.lang.String
  4. Save changes. If clustered, sync nodes.
  5. Restart the Portal server(s).

Related information

Security Bulletin CVE-2014-8912 IBM WebSphere Portal

Document information

More support for: WebSphere Portal

Software version: 8.0, 8.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1989005

Modified date: 30 January 2017


Translate this page: