Fixes are available
APAR status
Closed as program error.
Error description
Security vulnerabilities have been identified in the Information Server Web Console that may lead to unauthorized access through phishing attacks. CVE-2012-4819
Local fix
Problem summary
Refer to the following Security Bulletin for remediation. http://www-01.ibm.com/support/docview.wss?uid=swg21623501
Problem conclusion
The recommended solution is to apply the fix as soon as practical. JR42861 Security vulnerabilities in Information Server Web Console This change addresses the following security vulnerabilities in the Information Server Web Console: - Cross-Site Request Forgery - Cross-Site Scripting - Link Injection (facilitates Cross Site Request Forgery) - Phishing Through Frames To address the "Session Identifier Not Updated" issues reported by Security Scanning tools for URLs such as the following: http://host:port/ibm/iis/console/j_security_check http://host:port/ibm/iis/console/common/main.jsp http://host:port/ibm/iis/console/common/launchHelp.jsp http://host:port/ibm/iis/console/common/primaryTabs.jsp http://host:port/reporting/main/RecentReportLayout.jsp You must enable security integration in the WebSphere session management settings. Once enabled, that issue reported by the security scanning tool can be ignored. To enable security integration, - login to the WebSphere Administration Integrated Solutions Console - click Security > Global security - expand Web and SIP security and select General settings - the "Authenticate only when the URI is protected" radio button should be selected - check "Use available authentication data when an unprotected URI is accessed" - click Apply - click Servers > Server Types > WebSphere application servers - click the server_name (for clustered configuration you must repeat this for each application server in the cluster) - click Session management - check Security Integration - click Apply - save the changes and restart the application server (for clustered configurations, you must update and save this setting for every application server in the cluster and then restart the cluster) For further details on configuring security intergration see: http://pic.dhe.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=% 2Fcom.ibm.websphere.nd.multiplatform.doc%2Finfo%2Fae%2Fae%2Fuprs _rsession_manager.html
Temporary fix
Comments
APAR Information
APAR number
JR42861
Reported component name
WIS DATASTAGE
Reported component ID
5724Q36DS
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-05-16
Closed date
2013-08-12
Last modified date
2014-07-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WIS DATASTAGE
Fixed component ID
5724Q36DS
Applicable component levels
R810 PSY
UP
R850 PSY
UP
R870 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVSEF","label":"InfoSphere DataStage"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
11 October 2021