Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2011.0367 Potential security exposure with IBM WebSphere Application Server on z/OS running with Local Operating System user registry 1 April 2011 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: z/OS Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-4476 Reference: ASB-2011.0016 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21473989&myns=swgws&mynp=OCSS7K4U&mync=E#patch - --------------------------BEGIN INCLUDED TEXT-------------------- Potential security exposure with IBM WebSphere Application Server on z/OS running with Local Operating System user registry (PM35480, PM35478, PM35545, PM35611, PM35609) Flash (Alert) Abstract Unauthorized users might be granted unintended access to WebSphere applications. Content * Versions affected * Problem description * Solution * Temporary patch option * Instructions for installing ++APARs * Change history * Additional documentation Versions affected This only fails on the WebSphere Application Server for z/OS products. * WebSphere Application Server for z/OS Versions 6.0 through 6.0.2.43, 6.1 through 6.1.0.35, and 7.0 through 7.0.0.15. This does not occur on any releases of WebSphere Application Server for z/OS Versions prior to 6.0, or after 6.0.2.43, 6.1.0.35 and 7.0.0.15. * WebSphere Application Server OEM for z/OS (FMID HBBN610) Versions 6.1.0.25 through 6.1.0.32, and WebSphere Application Server OEM for z/OS (FMID HBBN700) Versions 7.0.0.7 through 7.0.0.13. This does not occur on any releases of WebSphere Application Server OEM for z/OS Versions prior to 6.1.0.25 and 7.0.0.7, or after 6.0.2.43 and 7.0.0.13. Problem description Unauthorized users might be granted unintended access to WebSphere applications when running WebSphere Application Server for z/OS. This only occurs when WebSphere is configured with a Local OS user registry or a Federated Repository configured with RACF (Resource Access Control Facility) adapter. Both the Local OS user registry and the Federated Repository configuration with RACF adapter use SAF (System Authorization Facility) implementation which means both RACF usage and equivalent product usage are affected. Solution If you meet the preceding criteria, it is highly recommended that you take action, as appropriate below: * ++APAR: You can apply the appropriate prebuilt ++APAR below or open a PMR (Problem Management Record) with IBM WebSphere Application Server for z/OS support to request a custom-built ++APAR. * PTF: You can apply the appropriate PTF containing that APAR, when available. * Temporary patch option: You can temporarily patch the version of the WebSphere Application Server that you have installed until you can upgrade to the PTF that contains the APAR or until you get a custom-built ++APAR. These prebuilt ++APARs also include the update to the Java JRE/JDK for CVE-2010-4476. Refer to the Flash on CVE-2010-4476 for more details. Important note from IBM Support: IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions at the System z Security Portal. Important security and integrity APARs and associated fixes will be posted to this portal. IBM suggests that any security or integrity fix be applied as soon as possible to minimize any potential risk. For IBM WebSphere Application Server for z/OS: For V7.0 through 7.0.0.15: * Move up in maintenance to one of the service levels listed below, and then, o For V7.0.0.15, download and apply ++ APAR AM35480 o For V7.0.0.13, download and apply ++ APAR BM35480 --OR-- * Apply APAR PM35480 via PTFs for 7.0.0.17 or later, when available (projected to be available May 2011). For V6.1 through 6.1.0.35: * Move up in maintenance to one of the service levels listed below, and then, o For V6.1.0.35, download and apply ++ APAR AM35478 o For V6.1.0.33, download and apply ++ APAR BM35478 o For V6.1.0.32, download and apply ++ APAR CM35478 --OR-- * Apply APAR PM35478 via PTFs for 6.1.0.37 or later, when available (projected to be available April 2011). For V6.0 through 6.0.2.43: * Move up in maintenance to service level 6.0.2.43, if not already at this level, and then, * Download and apply ++ APAR AM35545 For IBM WebSphere Application Server OEM for z/OS: For V7.0.0.7 through 7.0.0.13: * Move up in maintenance to service level 7.0.0.13, if not already at this level, and then, * Download and apply ++ APAR AM35611 --OR-- * Apply APAR PM35611 via PTFs for 7.0.0.15, or later, when available (projected to be available April 2011). For V6.1.0.25 through 6.1.0.32: * Move up in maintenance to service level 6.1.0.32, if not already at this level, and then, * Download and apply ++ APAR AM35609 To install a ++ APAR, follow the Instructions for installing ++APARs. Note: Customers that require a fix at a different WebSphere service level not mentioned above, or those who are running with a service level mentioned above but also have an existing ++APAR, will need to open a PMR to work with IBM Technical Support personnel to determine the best method for providing a fix for their system. Be prepared to provide to IBM your current service level, and any existing ++APARs that are already received/applied to your system. Temporary patch option If you cannot use one of the prebuilt ++APARs above, and you cannot wait for a ++APAR to be built at your level, you can temporarily patch the version of the WebSphere Application Server that you have installed until you can upgrade to the PTF that contains the APAR or until you get a custom-built ++APAR. The patch utility can be run against a JAR that contains the affected class, it will rename the JAR with a "-backup" suffix, and create a new JAR with a patch applied. (The rename preserves the symlink target if run against the config file system.) The patch is applied using byte code generation against a method that has not changed since WebSphere Application Server Version 6.0.2. This allows the same utility to be used on all previously unpatched levels of code. Important note about the temporary patch utility: This patch utility is a temporary mechanism for addressing this critical security vulnerability by patching the affected JAR file. Refer to the readme instructions with the JAR for further instructions. IBM recommends that you install the appropriate ++APAR or PTF that includes this fix, as time permits. Prior to putting on new maintenance, the undo instructions for the patch utility will need to be performed to avoid running with downlevel code. To use this utility, download the patch utility PM35478-zap.jar and follow the instructions in the PM35478PatchReadme file. Instructions for installing ++APARs 1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH 1024 data set. 2. Force these DCB attributes using the following TSO FTP client command right before the GET command: LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 If the ++APAR is quite large, then you can also pass along data set allocation information on the LOCSITE command. The example below gives the ++APAR file 300 cylinders in its primary and secondary extents. These numbers are just examples: LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL 3. UNTERSE the file. 4. SMP/E RECEIVE and APPLY the ++APAR. 5. You must SMP/E RESTORE OFF the ++APAR before installing further WebSphere maintenance. Change history 31 Mar 2011: * Added "Both the Local OS user registry and the Federated Repository configuration with RACF adapter use SAF (System Authorization Facility) implementation which means both RACF usage and equivalent product usage are affected." to the end of the Problem description for additional clarity. * Updated the Temporary patch option description from "This patch utility will search an install tree for all the JAR files that contain the affected class. For each of the JARs it finds, it will rename the JAR with a "-backup" suffix, and create a new JAR with a patch applied." to "The patch utility can be run against a JAR that contains the affected class, it will rename the JAR with a "-backup" suffix, and create a new JAR with a patch applied. " * Added "Prior to putting on new maintenance, the undo instructions for the patch utility will need to be performed to avoid running with downlevel code." to the end of the Important note about the temporary patch utility for additional clarity. 30 Mar 2011: * Original publish date. Additional documentation For additional details and information on WebSphere Application Server product updates, see APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFNlUTQ/iFOrG6YcBERAijnAKDLEnZE+Oi66/Hv6+NOel7ZFsq80wCfX3g9 D2nab8rxQ6chSCa5bf/ztgY= =yRKX -----END PGP SIGNATURE-----