Direct link to fix
APAR status
Closed as program error.
Error description
If a user account is hijacked, either from an idle workstation or through a session-stealing attack method, and the Change Password screen opens on the Login page, either due to password expiration or first time user login as required by a password policy that has been put in place, the hijacker can try the existing password field, using trial and error, an infinite number of times. The system does not honor the value set for the ConsecFailedAttempts parameter in the ui.properties file and does mot lock the user upon reaching the limit of failed logins.
Local fix
STRRTC - 438280 NM / NM Circumvention: None
Problem summary
Users Affected: All Problem Description: Security Vulnerability - ui.ConsecFailedAttempts is not honored in ChangePassword screens for password expiration or first time user login Platforms Affected: All
Problem conclusion
Resolution Summary: ui.ConsecFailedAttempts is now honored on the ChangePassword screens, both for password expiration and first time user login. Delivered In: 5020402_4 5104_6
Temporary fix
Comments
Published On: 12/16/14
APAR Information
APAR number
IT03936
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
524
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-08-21
Closed date
2014-09-24
Last modified date
2014-12-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600
Applicable component levels
R524 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.4","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
15 December 2014