APAR status
Closed as program error.
Error description
Abstract: Some classes contain a main() method in JWL library which could be a possible security vulnerability. Problem: A method may be leftover debug code that creates an unintended entry point in a web application. Although this is an acceptable practice during product development, classes that are part of a production J2EE application should not define a main() method. Whether this method can be remotely invoked depends on the configuration of the J2EE container and the application itself. In this case the main() methods are not accessible but should be removed as good practice. Local fix: There is no known workaround at this time. Methods are not accessible.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * **************************************************************** * PROBLEM DESCRIPTION: * **************************************************************** * RECOMMENDATION: * **************************************************************** The presence of "main" methods used for testing during development in some classes of the ICU4J library, which is required by the IBM JSF Widgets Library (JWL) and included in JWL projects prompts security warnings on static analysis tools run against applications using JWL. A careful analysis of the warnings has been conducted and none of them present a security risk for web applications using the ICU4J library.
Problem conclusion
A defect was opened to the ICU project on icu.org to address this situation. They agreed to comment out the main classes and the fix is included in ICU4J version 49. This version of the icu4j library has been updated and is now used for newly created JWL projects. The fix for this APAR is included in Rational Application Developer v7.5.5.5 iFix1.
Temporary fix
Comments
APAR Information
APAR number
PM53904
Reported component name
RATL APP DEV WI
Reported component ID
5724J1901
Reported release
750
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-12-08
Closed date
2012-09-24
Last modified date
2012-09-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
RATL APP DEV WI
Fixed component ID
5724J1901
Applicable component levels
R750 PSN
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
24 September 2012