IBM Support

PH56660: SECURITY VULNERABILITY FROM ITX LAUNCHER MONITOR PORT 7001 WITH ADAPTER DETAILS (USERNAME AND PASSWORD) EXPOSED IN SNAPSHOT

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The Launcher Monitor tool (dtxmon.exe) connects to the Launcher
monitor port (default 7001) to receive information from the
Launcher process.  The tool can be used to create Snapshot files
that could potentially be used to review connection details
(including login credentials) that are encrypted values from
Resource Registry.  Additionally, a port sniffer can also
connect to the Launcher Monitor port (7001 by default) and see
these values in plain text.

Local fix

  • ITXCQ - ITX00061614
PB / PB
Circumvention: None

Problem summary

  • Users Affected:
IBM Transformation Extender users using launcher monitor with
encryption on the command line.

Problem Description:
Launcher opened ports are not encrypted or validate the incoming
requests (except the control port has some mechanism to validate
the requests from Java Launcher or other applications), resource
aliases should be used in the adapter command line to protect
the critical information not to get exposed in clear text
format.

Platforms Affected:
All

Problem conclusion

  • When sending the end launcher monitor packet, use the encrypted
via resource registry version of the command line.

Applies to:
10.1.0.3, 10.1.1.1, 10.1.2.0

Fixed in the next service packs and releases.

To obtain the fix for this APAR:

To see if the next service pack or product release is available,
check the IBM Transformation Extender Release Notes page:
https://www.ibm.com/support/docview.wss?uid=swg27008337

If the service pack or product release is available, download it
from Fix Central:
http://www.ibm.com/support/fixcentral/

If the service pack or product release is not available and you
require the APAR fix immediately, request a Limited Availability
Interim Fix (LAIF) by opening a case:
https://www.ibm.com/mysupport/

Prior to version 9.0.0, IBM Transformation Extender was called
IBM WebSphere Transformation Extender.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH56660
    • 

  • Reported component name
    ITX
    • 

  • Reported component ID
    5724Q2300
    • 

  • Reported release
    A10
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-08-31
    • 

  • Closed date
    2023-12-21
    • 

  • Last modified date
    2023-12-27
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    ITX
    • 

  • Fixed component ID
    5724Q2300
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSVSD8","label":"Transformation Extender"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"A10"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            28 December 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback