Security Bulletin
Summary
Accessing the IBM Rational Automation Framework web user interface via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.
Vulnerability Details
Subscribe to My Notifications to be notified of important product support alerts like this.
|
CVEID: CVE-2012-4816
Description:
Accessing the Rational Automation Framework (RAF) web UI via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/78379 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
Rational Automation Framework 3.0 and later on all supported platforms.
Remediation/Fixes
None
Workarounds and Mitigations
Workaround(s):
Environment Generation Security Patch for Tomcat
1. Modify the files below to fix the Env Gen Wizard default access without login.
Path: C:\IBM\\Apache\tomcat\conf
File: tomcat-users.xml
Add user profile between the <tomcat-users> tag
<role rolename="admin"/>
<user username="admin" password="test123" roles="admin"/>
2. Add the below components above the </web-app> tag
Path: C:\IBM\Apache\tomcat\webapps\rafw\WEB-INF
File: Web.xml
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<!-- Only administrators can access this resource -->
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Use BASIC security -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Secure Area</realm-name>
</login-config>
3. Restart BuildForge.
Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)
Update the web.xml File
1. There are two copies of the web.xml file, located in the following directories:
/WAS_install_root/installedApps/<cellname>/rweb.ear/rweb.war/WEB-INF/web.xml
/WAS_install_root/config/cells/<cellname>/applications/rweb.ear/deployments/rweb/rweb.war/WEB-INF/web.xml
Note: If this is a WebSphere Application Server Network Deployment, there is an additional web.xml that must be updated:
/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/<dellname>/applications/rweb_war.ear/deployments/rweb_war/rweb.war/web.xml
2. Insert the below basic authentication and security role to the three web.xml files
<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Security constraint for Env Gen</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
3. Enable WebSphere Application Server security:
Open WebSphere Administrative console using the url http://
- In the WebSphere Application Server administrative console, click Security > Global Security.
- Select Enable administrative security.
- Ensure Enable application security is selected
4. Map Security Roles in Web.xml to WAS Manage User/Group.
- Select Application > WebSphere Enterprise Applications > Rational Automation Framework
- Under the Detailed Properties section you will see a link Security role to user/group mapping.
The link will appear only if your web.xml is setup correctly click the Security role to user/group mapping - Select the roles you wish to use for authentication
- Click on Map Users or Map groups
- Click search and select users (that are setup in your websphere under Users and Groups menu)
- Use the arrows to move the selected users/groups to the right hand box
- Click ok and save to master configuration.
Use: https://
Try logging in using default WAS port : http://
Mitigation(s):
None
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
* 14 December 2012 - Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
20 April 2020
UID
swg21620359