IBM Support

PM14765; 1.0.1.0: Document Type Definitions (DTDs) must be disabled for JAX-RS

Download


Abstract

There is a security exposure related to JAX-RS REST services.

Download Description

PM14765 resolves the following problem:

ERROR DESCRIPTION:
There is a security exposure related to JAX-RS REST services.

The exposure can cause data tampering, denial of service and
possible exposure of server file contents.

A malicious client may use DTD (Document Type Definitions)
to attack a JAX-RS REST service.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
All users of IBM WebSphere Application
Server Feature Pack for Web 2.0

PROBLEM DESCRIPTION:
There is a security exposure related
to JAX-RS REST services.

RECOMMENDATION:
Install a fixpack containing this APAR

There is a security exposure related to JAX-RS REST services.

The exposure can cause data tampering, denial of service and
possible exposure of server file contents.

A malicious client may use DTD (Document Type Definitions) to
attack the JAX-RS REST service.

The exposure exists only on JAX-RS REST resources that require
parsing of XML data.

PROBLEM CONCLUSION:
The JAX-RS runtime is changed to disable the processing of
DTDs contained within incoming messages.

The fix for this APAR is currently targeted for inclusion
in the next release of Web20 Feature Pack following version
1.0.1.0. Please refer to the Recommended
Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"5150","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM14765/readme.txt"}]
On
[{"DNLabel":"1.0.1.0-WS-WASWeb20-IFPM14765","DNDate":"8/25/2010","DNLang":"US English","DNSize":"191614","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=1.0.1.0-WS-WASWeb20-IFPM14765&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server%20Feature%20Pack%20for%20Web%202.0&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM14765/1.0.1.0-WS-WASWeb20-IFPM14765.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM14765/1.0.1.0-WS-WASWeb20-IFPM14765.pak"}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSR2SE","label":"WebSphere Application Server Feature Pack for Web 2.0"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"1.0.1.0","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24027570