Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0367
Potential security exposure with IBM WebSphere Application Server on z/OS
running with Local Operating System user registry
1 April 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server
Publisher: IBM
Operating System: z/OS
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4476
Reference: ASB-2011.0016
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21473989&myns=swgws&mynp=OCSS7K4U&mync=E#patch
- --------------------------BEGIN INCLUDED TEXT--------------------
Potential security exposure with IBM WebSphere Application Server on z/OS
running with Local Operating System user registry (PM35480, PM35478, PM35545,
PM35611, PM35609)
Flash (Alert)
Abstract
Unauthorized users might be granted unintended access to WebSphere
applications.
Content
* Versions affected
* Problem description
* Solution
* Temporary patch option
* Instructions for installing ++APARs
* Change history
* Additional documentation
Versions affected
This only fails on the WebSphere Application Server for z/OS products.
* WebSphere Application Server for z/OS Versions 6.0 through 6.0.2.43, 6.1
through 6.1.0.35, and 7.0 through 7.0.0.15.
This does not occur on any releases of WebSphere Application Server for
z/OS Versions prior to 6.0, or after 6.0.2.43, 6.1.0.35 and 7.0.0.15.
* WebSphere Application Server OEM for z/OS (FMID HBBN610) Versions
6.1.0.25 through 6.1.0.32, and WebSphere Application Server OEM for z/OS
(FMID HBBN700) Versions 7.0.0.7 through 7.0.0.13.
This does not occur on any releases of WebSphere Application Server OEM
for z/OS Versions prior to 6.1.0.25 and 7.0.0.7, or after 6.0.2.43 and
7.0.0.13.
Problem description
Unauthorized users might be granted unintended access to WebSphere
applications when running WebSphere Application Server for z/OS.
This only occurs when WebSphere is configured with a Local OS user registry
or a Federated Repository configured with RACF (Resource Access Control
Facility) adapter. Both the Local OS user registry and the Federated
Repository configuration with RACF adapter use SAF (System Authorization
Facility) implementation which means both RACF usage and equivalent product
usage are affected.
Solution
If you meet the preceding criteria, it is highly recommended that you take
action, as appropriate below:
* ++APAR: You can apply the appropriate prebuilt ++APAR below or open a
PMR (Problem Management Record) with IBM WebSphere Application Server for
z/OS support to request a custom-built ++APAR.
* PTF: You can apply the appropriate PTF containing that APAR, when
available.
* Temporary patch option: You can temporarily patch the version of the
WebSphere Application Server that you have installed until you can
upgrade to the PTF that contains the APAR or until you get a custom-built
++APAR.
These prebuilt ++APARs also include the update to the Java JRE/JDK for
CVE-2010-4476. Refer to the Flash on CVE-2010-4476 for more details.
Important note from IBM Support: IBM strongly suggests that all System z
customers be subscribed to the System z Security Portal to receive the latest
critical System z security and integrity service. If you are not subscribed,
see the instructions at the System z Security Portal. Important security and
integrity APARs and associated fixes will be posted to this portal. IBM
suggests that any security or integrity fix be applied as soon as possible to
minimize any potential risk.
For IBM WebSphere Application Server for z/OS:
For V7.0 through 7.0.0.15:
* Move up in maintenance to one of the service levels listed below, and
then,
o For V7.0.0.15, download and apply ++ APAR AM35480
o For V7.0.0.13, download and apply ++ APAR BM35480
--OR--
* Apply APAR PM35480 via PTFs for 7.0.0.17 or later, when available
(projected to be available May 2011).
For V6.1 through 6.1.0.35:
* Move up in maintenance to one of the service levels listed below, and
then,
o For V6.1.0.35, download and apply ++ APAR AM35478
o For V6.1.0.33, download and apply ++ APAR BM35478
o For V6.1.0.32, download and apply ++ APAR CM35478
--OR--
* Apply APAR PM35478 via PTFs for 6.1.0.37 or later, when available
(projected to be available April 2011).
For V6.0 through 6.0.2.43:
* Move up in maintenance to service level 6.0.2.43, if not already at this
level, and then,
* Download and apply ++ APAR AM35545
For IBM WebSphere Application Server OEM for z/OS:
For V7.0.0.7 through 7.0.0.13:
* Move up in maintenance to service level 7.0.0.13, if not already at this
level, and then,
* Download and apply ++ APAR AM35611
--OR--
* Apply APAR PM35611 via PTFs for 7.0.0.15, or later, when available
(projected to be available April 2011).
For V6.1.0.25 through 6.1.0.32:
* Move up in maintenance to service level 6.1.0.32, if not already at this
level, and then,
* Download and apply ++ APAR AM35609
To install a ++ APAR, follow the Instructions for installing ++APARs.
Note: Customers that require a fix at a different WebSphere service level not
mentioned above, or those who are running with a service level mentioned above
but also have an existing ++APAR, will need to open a PMR to work with IBM
Technical Support personnel to determine the best method for providing a fix
for their system. Be prepared to provide to IBM your current service level,
and any existing ++APARs that are already received/applied to your system.
Temporary patch option
If you cannot use one of the prebuilt ++APARs above, and you cannot wait for a
++APAR to be built at your level, you can temporarily patch the version of the
WebSphere Application Server that you have installed until you can upgrade to
the PTF that contains the APAR or until you get a custom-built ++APAR.
The patch utility can be run against a JAR that contains the affected class,
it will rename the JAR with a "-backup" suffix, and create a new JAR with a
patch applied. (The rename preserves the symlink target if run against the
config file system.) The patch is applied using byte code generation against a
method that has not changed since WebSphere Application Server Version 6.0.2.
This allows the same utility to be used on all previously unpatched levels of
code.
Important note about the temporary patch utility: This patch utility is a
temporary mechanism for addressing this critical security vulnerability by
patching the affected JAR file. Refer to the readme instructions with the JAR
for further instructions. IBM recommends that you install the appropriate
++APAR or PTF that includes this fix, as time permits. Prior to putting on new
maintenance, the undo instructions for the patch utility will need to be
performed to avoid running with downlevel code.
To use this utility, download the patch utility PM35478-zap.jar and follow the
instructions in the PM35478PatchReadme file.
Instructions for installing ++APARs
1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH 1024
data set.
2. Force these DCB attributes using the following TSO FTP client command
right before the GET command:
LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0
If the ++APAR is quite large, then you can also pass along data set
allocation information on the LOCSITE command. The example below gives
the ++APAR file 300 cylinders in its primary and secondary extents.
These numbers are just examples:
LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL
3. UNTERSE the file.
4. SMP/E RECEIVE and APPLY the ++APAR.
5. You must SMP/E RESTORE OFF the ++APAR before installing further WebSphere
maintenance.
Change history
31 Mar 2011:
* Added "Both the Local OS user registry and the Federated Repository
configuration with RACF adapter use SAF (System Authorization Facility)
implementation which means both RACF usage and equivalent product usage
are affected." to the end of the Problem description for additional
clarity.
* Updated the Temporary patch option description from "This patch utility
will search an install tree for all the JAR files that contain the
affected class. For each of the JARs it finds, it will rename the JAR
with a "-backup" suffix, and create a new JAR with a patch applied." to
"The patch utility can be run against a JAR that contains the affected
class, it will rename the JAR with a "-backup" suffix, and create a new
JAR with a patch applied. "
* Added "Prior to putting on new maintenance, the undo instructions for the
patch utility will need to be performed to avoid running with downlevel
code." to the end of the Important note about the temporary patch utility
for additional clarity.
30 Mar 2011:
* Original publish date.
Additional documentation
For additional details and information on WebSphere Application Server product
updates, see APAR/PTF Tables by version for IBM WebSphere Application Server
for z/OS.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFNlUTQ/iFOrG6YcBERAijnAKDLEnZE+Oi66/Hv6+NOel7ZFsq80wCfX3g9
D2nab8rxQ6chSCa5bf/ztgY=
=yRKX
-----END PGP SIGNATURE-----