Flashes (Alerts)
Abstract
After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server.
Content
Affected Versions:
The problem affects the following IBM WebSphere Application Server Distributed platforms, i5/OS platforms, z/OS platform Versions and IBM WebSphere Application Server Hypervisor Edition with:
The problem does not occur on the following versions:
CVE ID: CVE-2012-3325 (PM71296)
Problem Description:
If you have installed an Interim Fix for PM44303 or a Fix Pack listed above, you have the potential for an authenticated user to bypass security restrictions, caused by an error when validating user credentials. This could allow a user to gain unauthorized administrative access to an application and potentially gain access to confidential and critical customer data.
CVSS:
CVSS Base Score: 6.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77959 for the current score
CVSS Environmental Score*: undefined
CVSS String: (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solutions:
Apply Interim Fix PM71296, or a Fix Pack containing the APAR, as noted below.
For IBM WebSphere Application Server for distributed operating systems and IBM WebSphere Application Server Hypervisor Edition:
For V8.5.0.0 Full Profile:
--OR--
For 8.0.0.2 through 8.0.0.4:
--OR--
For V7.0.0.21 through 7.0.0.23:
--OR--
For V6.1.0.43:
--OR--
For IBM WebSphere Application Server for i5/OS operating systems:
For V8.5.0.0 Full Profile:
--OR--
For V8.0.0.2 through 8.0.0.4:
--OR--
For V7.0.0.21 through 7.0.0.23:
--OR--
For V6.1.0.43:
--OR--
For WebSphere Application Server for z/OS operating systems:
For V8.5.0.0 Full Profile:
--OR--
For V8.0.0.2 through 8.0.0.4:
--OR--
For z/OS operating systems Version 7 and Version 6.1
You can apply the appropriate prebuilt ++APAR below or open a PMR (Problem Management Record) with IBM WebSphere Application Server for z/OS Technical support to request a custom-built ++APAR.
For V7.0.0.23:
--OR--
For V7.0.0.21:
--OR--
For V6.1.0.43:
--OR--
Note: Customers that require a fix at a different WebSphere service level not mentioned above, or those who are running with a service level mentioned above but also have an existing ++APAR, will need to open a PMR to work with IBM Technical Support personnel to determine the best method for providing a fix for their system. Be prepared to provide to IBM your current service level, and any existing ++APARs that are already received/applied to your system.
Instructions for installing ++APARs:
1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH 1024 data set.
2. Force these DCB attributes using the following TSO FTP client command right before the GET command:
LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0
If the ++APAR is quite large, then you can also pass along data set allocation information on the LOCSITE command. The example below gives the ++APAR file 300 cylinders in its primary and secondary extents.
These numbers are just examples:
LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL
3. UNTERSE the file
4. SMP/E RECEIVE and APPLY the ++APAR
5. You must SMP/E RESTORE OFF the ++APAR before installing further WebSphere maintenance.
For additional details and information on WebSphere Application Server product updates:
REFERENCES:
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21609067