PK52059; Potential security exposure with serveservletsbyclassnameenabled

Downloadable files


Abstract

Possible security exposure with SERVESERVLETSBYCLASSNAMEENABLED on IBM® WebSphere® Application Server V6.0. and 6.1.

Download Description

PK52059 resolves the following problem:

ERROR DESCRIPTION:
There is a possible security exposure with the serveServletsByClassnameEnabled feature which is available to be set at the application level.

LOCAL FIX:
Disable serveServletsByClassnameEnabled feature for each web application installed on a server.

PROBLEM SUMMARY

USERS AFFECTED:
All users of WebSphere Application Server versions 6.0 through 6.0.2.25 and 6.1 through 6.1.0.14 for Distributed, i5/OS® and z/OS®. This problem does not occur on versions 4.0, 5.0, and 5.1.

PROBLEM DESCRIPTION:

There is a possible security exposure with the serveServletsByClassnameEnabled feature. This feature is available to be set at the application level.

RECOMMENDATION:
None

PROBLEM CONCLUSION:
The security exposure has been closed and two new webcontainer custom properties have been introduced:


Property Name: com.ibm.ws.webcontainer.disallowserveservletsbyclassname

Description: If set to true, disallows the use of serveServletsByClassnameEnabled at the application server level, overriding any setting of serveServletsByClassnameEnabled at the application level.
Values: true/false(default)


Property Name: com.ibm.ws.webcontainer.donotservebyclassname
Description: A semi-colon delimited list of classes to be disallowed from being served by class name.
Values: String, such as com.ibm.BlckedClass1;com.ibm.BlckedClass2;com.ibm.BlckedClass3

Note: This property will not be applied if the new custom property com.ibm.ws.webcontainer.disallowserveservletsbyclassname is set to true, and will override any enablement of serveServletsByClassnameEnabled for the application which provides the classes to be blocked.

Note: after applying this fix, to enable the serving of servlets by class name the new custom property com.ibm.ws.webcontainer.disallowserveservletsbyclassname must be set to false (default) and serveServletsByClassnameEnabled must be enabled for the application which provides the classes to be served.

Please refer to the following technote for instructions on enabling WebContainer custom properties:
http://www.ibm.com/support/docview.wss?rss=180&uid=swg21284395

To apply the fix:

For versions 6.1.0.9 through 6.1.0.13:
Apply Interim Fix 6.1.0.9-WS-WAS-IFPK52059.pak

For versions 6.1.0.2 through 6.1.0.7:
Apply Interim Fix 6.1.0.2-WS-WAS-IFPK52059.pak

For versions 6.1 through 6.1.0.1:
Apply Interim Fix 6.1.0.0-WS-WAS-IFPK52059.pak

For version 6.0.2.25:
Apply Interim Fix 6.0.2.25-WS-WAS-IFPK52059.pak

For versions 6.0.2.13 through 6.0.2.23:
Apply Pre-requisite Fix PK54499:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017926
Then, apply Interim Fix 6.0.2.13-WS-WAS-IFPK52059.pak

For versions 6.0.2.9 through 6.0.2.11:
Apply Interim Fix 6.0.2.9-WS-WAS-IFPK52059.pak

For versions 6.0.2.5 through 6.0.2.7:
Apply Interim Fix 6.0.2.5-WS-WAS-IFPK52059.pak

For versions 6.0.2 through 6.0.2.3:
Apply Interim Fix 6.0.2.0-WS-WAS-IFPK52059.pak

For versions 6.0.1 through 6.0.1.2:
Apply Interim Fix 6.0.1.0-WS-WAS-IFPK52059.pak

For versions 6.0 through 6.0.0.3:
Apply Interim Fix 6.0.0.0-WS-WAS-IFPK52059.pak


The fix for this APAR is currently targeted for inclusion in Fix Packs 5.1.1.18, 6.0.2.27, 6.1.0.15. However, note that for Fix Pack 5.1.1.18, the fix is only included in order to provide the two new webcontainer custom properties and is not required to fix a security vulnerability.

Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 5841

Download package

Download package
What is Fix Central (FC)?
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
6.1.0.9-WS-WAS-IFPK52059 1/9/2008 US English 18221 FC FTP DD
6.1.0.2-WS-WAS-IFPK52059 1/9/2008 US English 18097 FC FTP DD
6.1.0.0-WS-WAS-IFPK52059 1/9/2008 US English 18094 FC FTP DD
6.0.2.25-WS-WAS-IFPK52059 1/9/2008 US English 16592 FC FTP DD
6.0.2.13-WS-WAS-IFPK52059 2/8/2008 US English 16210 FC FTP DD
6.0.2.9-WS-WAS-IFPK52059 1/9/2008 US English 16422 FC FTP DD
6.0.2.5-WS-WAS-IFPK52059 1/9/2008 US English 15278 FC FTP DD
6.0.2.0-WS-WAS-IFPK52059 1/9/2008 US English 15120 FC FTP DD
6.0.1.0-WS-WAS-IFPK52059 1/9/2008 US English 15042 FC FTP DD
6.0.0.0-WS-WAS-IFPK52059 1/9/2008 US English 14956 FC FTP DD

Technical support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

Problems (APARS) fixed
PK52059

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Servlet Engine/Web Container

Software version:

6.0, 6.0.0.2, 6.0.0.3, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.2, 6.0.2.1, 6.0.2.3, 6.0.2.5, 6.0.2.7, 6.0.2.9, 6.0.2.11, 6.0.2.13, 6.0.2.15, 6.0.2.17, 6.0.2.19, 6.0.2.21, 6.0.2.23, 6.0.2.25, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.5, 6.1.0.7, 6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.15

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Advanced, Base, Developer, Enterprise, Express, Network Deployment, Single Server

Reference #:

4018067

Modified date:

2008-01-17

Translate my page

Machine Translation

Content navigation