Download
Abstract
Possible security exposure with SERVESERVLETSBYCLASSNAMEENABLED on IBM® WebSphere® Application Server V6.0. and 6.1.
Download Description
PK52059 resolves the following problem:
ERROR DESCRIPTION:
There is a possible security exposure with the serveServletsByClassnameEnabled feature which is available to be set at the application level.
LOCAL FIX:
Disable serveServletsByClassnameEnabled feature for each web application installed on a server.
PROBLEM SUMMARY
USERS AFFECTED:
All users of WebSphere Application Server versions 6.0 through 6.0.2.25 and 6.1 through 6.1.0.14 for Distributed, i5/OS® and z/OS®. This problem does not occur on versions 4.0, 5.0, and 5.1.
PROBLEM DESCRIPTION:
There is a possible security exposure with the serveServletsByClassnameEnabled feature. This feature is available to be set at the application level.
RECOMMENDATION:
None
PROBLEM CONCLUSION:
The security exposure has been closed and two new webcontainer custom properties have been introduced:
Property Name: com.ibm.ws.webcontainer.disallowserveservletsbyclassname
Description: If set to true, disallows the use of serveServletsByClassnameEnabled at the application server level, overriding any setting of serveServletsByClassnameEnabled at the application level.
Values: true/false(default)
Property Name: com.ibm.ws.webcontainer.donotservebyclassname
Description: A semi-colon delimited list of classes to be disallowed from being served by class name.
Values: String, such as com.ibm.BlckedClass1;com.ibm.BlckedClass2;com.ibm.BlckedClass3
Note: This property will not be applied if the new custom property com.ibm.ws.webcontainer.disallowserveservletsbyclassname is set to true, and will override any enablement of serveServletsByClassnameEnabled for the application which provides the classes to be blocked.
Note: after applying this fix, to enable the serving of servlets by class name the new custom property com.ibm.ws.webcontainer.disallowserveservletsbyclassname must be set to false (default) and serveServletsByClassnameEnabled must be enabled for the application which provides the classes to be served.
Please refer to the following technote for instructions on enabling WebContainer custom properties:
http://www.ibm.com/support/docview.wss?rss=180&uid=swg21284395
To apply the fix:
For versions 6.1.0.9 through 6.1.0.13:
Apply Interim Fix 6.1.0.9-WS-WAS-IFPK52059.pak
For versions 6.1.0.2 through 6.1.0.7:
Apply Interim Fix 6.1.0.2-WS-WAS-IFPK52059.pak
For versions 6.1 through 6.1.0.1:
Apply Interim Fix 6.1.0.0-WS-WAS-IFPK52059.pak
For version 6.0.2.25:
Apply Interim Fix 6.0.2.25-WS-WAS-IFPK52059.pak
For versions 6.0.2.13 through 6.0.2.23:
Apply Pre-requisite Fix PK54499:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017926
Then, apply Interim Fix 6.0.2.13-WS-WAS-IFPK52059.pak
For versions 6.0.2.9 through 6.0.2.11:
Apply Interim Fix 6.0.2.9-WS-WAS-IFPK52059.pak
For versions 6.0.2.5 through 6.0.2.7:
Apply Interim Fix 6.0.2.5-WS-WAS-IFPK52059.pak
For versions 6.0.2 through 6.0.2.3:
Apply Interim Fix 6.0.2.0-WS-WAS-IFPK52059.pak
For versions 6.0.1 through 6.0.1.2:
Apply Interim Fix 6.0.1.0-WS-WAS-IFPK52059.pak
For versions 6.0 through 6.0.0.3:
Apply Interim Fix 6.0.0.0-WS-WAS-IFPK52059.pak
The fix for this APAR is currently targeted for inclusion in Fix Packs 5.1.1.18, 6.0.2.27, 6.1.0.15. However, note that for Fix Pack 5.1.1.18, the fix is only included in order to provide the two new webcontainer custom properties and is not required to fix a security vulnerability.
Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Download Package
Download package |
What is Fix Central (FC)? |
What is DD? |
Download | RELEASE DATE | LANGUAGE | SIZE(Bytes) | Download Options | ||
---|---|---|---|---|---|---|
6.1.0.9-WS-WAS-IFPK52059 | 1/9/2008 | US English | 18221 | FC | FTP | DD |
6.1.0.2-WS-WAS-IFPK52059 | 1/9/2008 | US English | 18097 | FC | FTP | DD |
6.1.0.0-WS-WAS-IFPK52059 | 1/9/2008 | US English | 18094 | FC | FTP | DD |
6.0.2.25-WS-WAS-IFPK52059 | 1/9/2008 | US English | 16592 | FC | FTP | DD |
6.0.2.13-WS-WAS-IFPK52059 | 2/8/2008 | US English | 16210 | FC | FTP | DD |
6.0.2.9-WS-WAS-IFPK52059 | 1/9/2008 | US English | 16422 | FC | FTP | DD |
6.0.2.5-WS-WAS-IFPK52059 | 1/9/2008 | US English | 15278 | FC | FTP | DD |
6.0.2.0-WS-WAS-IFPK52059 | 1/9/2008 | US English | 15120 | FC | FTP | DD |
6.0.1.0-WS-WAS-IFPK52059 | 1/9/2008 | US English | 15042 | FC | FTP | DD |
6.0.0.0-WS-WAS-IFPK52059 | 1/9/2008 | US English | 14956 | FC | FTP | DD |
Technical Support
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24018067