Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0391
Password to the plugin-key.kdb file expires on April 26, 2012 US EDT
20 April 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Application Server
Publisher: IBM
Operating System: z/OS
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2162
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21588312
- --------------------------BEGIN INCLUDED TEXT--------------------
Password to the plugin-key.kdb file expires on April 26, 2012 US EDT
Flash (Alert)
Abstract
The password to the plugin-key.kdb file that is shipped with WebSphere
Application Server expires on April 26, 2012 US EDT. This file is placed in
the [Plugin_Home]/config/{webservername} directory when a web server plug-in
is configured on an installed web server.
Content
CVE-2012-2162
If you are using the WebSphere Key and Certificate Management generated plug-in
key store you are NOT affected. If, however, you are using the key store
installed by default with the Web Server Plug-in for WebSphere Application
Server and you have NEVER changed the key store's password, then you must
change the plug-in key store's password, which removes the pending password
expiration, to avoid a security exposure. Generally, as a best practice, IBM
recommends you always change passwords from the default value to enhance the
security of your system.
In reference to this specific security exposure concern, a majority of users do
not reference the affected file at runtime and therefore are not impacted.
However, a small minority of users must take action and use certificate
management tools to remove the password expiration prior to April 26, 2012 to
avoid experiencing this issue.
Versions affected:
All versions of WebSphere Application Server for Distributed, IBM i, and z/OS
operating systems (e.g., Version 8.0 and earlier) have the potential to be
affected.
Note: Versions 6.0 and earlier are no longer in service. The purchase of a
support extension might be required, if additional assistance is needed, unless
you are otherwise entitled to support.
Problem Description:
CVSS:
CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74900 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
The following is the description of the mode of failure which will occur after
the plug-in's key store password expiration date, however it ONLY applies to
users with affected web servers who have NOT taken the prescribed action.
The WebSphere Application Server web server plug-in (web server plug-in) comes
with a plugin-key.kdb file upon installation. The default password of WebAS is
set to expire by April 26, 2012 US EDT.
Note: This is a separate issue, with different assessment required, from
the previously posted flash titled "WebSphere Plugin personal certificate
expiration issue", posted on February 6, 2012.
After the password expiration date passes, the next time the web server running
the web server plug-in is restarted, or the next time the plugin-cfg.xml is
modified, the HTTPS (SSL) connectivity between the web server plug-in and the
WebSphere Application Server might fail or revert to a non-SSL function and
will not be encrypted.
This has no affect on the connection between the client (browser) and the web
server that do not use the plugin-key.kdb for their certificate exchange. Only
connections between the web server plug-in and the WebSphere Application Server
will have the problem. For systems that use this file for their web server
security, corrective action will need to taken as outlined in this Flash.
In some less common configurations, in which HTTP transports have been
explicitly disabled, blocked, or removed, the web server plug-in will fail to
forward the incoming requests returning an immediate error (HTTP 500 --
Internal Server Error).
Solution:
The following section describes how to correct the expiring password problem if
you are running WebSphere Application Server on a distributed operating system.
If you are running WebSphere Application Server on a z/OS or IBM i operating
system, refer to the FAQ section of this Flash for a description of how to
correct the expiring password problem for those environments.
For IBM HTTP Sever Versions 7.0 and 8.0, to determine if the password being
used on your system expires on April 26, 2012, launch the HTTP Server iKeyman,
and load the plugin-key.kdb file from either of the two previously mentioned
directory locations.
- From the "Key Database File" menu, select "Display Password Expiry".
The resulting pop-up will state that the password never expires, or will
specify the specific date on which the password expires.
If the password expires on April 26, 2012, select "Change Password" from the
"Key Database File" menu. In the Password Prompt pop-up, specify the same
password or a new password, and select Expiration time if you want the password
to expire after a specific number of days. If you do not select Expiration
time, the password never expires.
You MUST also select "Stash password to a file" before you click OK. This
setting is critical for the plug-in binary to be able to use the kdb file.
=================================================================
For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to
determine if the password being used on your system expires on April 26, 2012.
This command is located in your [gsk_root]/bin directory.
gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS
The resulting output indicates the expiration date for the password: For
example, the following output indicates that the password expires on April 26,
2012 at 11:20:31 AM EDT:
Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time
Issue a gsk7 command, similar to the following command, to change the password
that is expiring:
gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin
- -key.kdb
If you want to the new password to expire after a specific number of days, add
- -expire to the gsk7capicmd command line and specify the number of days for
which you want the new password to be valid.
Note 1: IMPORTANT: Setting the -expire parameter to 0 means that the password
associated with the key database does not expire.
Note 2: Gskit versions prior to 7.0.3.17 do not recognize the -expire
parameter. If you are using one of these prior Gskit versions, you must upgrade
to the latest Gskit 7.0.4.x version.
Fix Pack 17 for IHS V6.1 (V6.1.0.17) and Fix Pack 27 for IHS V6.0.2
(V6.0.2.27) can upgrade the GSKit to V7.0.4.14
http://www.ibm.com/support/docview.wss?uid=swg27008517#61017
http://www.ibm.com/support/docview.wss?uid=swg27007033#60227
Or the customer can upgrade their system wide GSKit from the link in the
following page.
http://www.ibm.com/support/docview.wss?uid=swg24026884
Note 3: There is a behavior difference between Gskit 7.0.3.x and 7.0.4.x when
using these commands. Leaving the -expire off when using Gskit 7.0.4 results in
a password that never expires. Leaving the -expire off when using Gskit
versions prior to 7.0.3.17 results in a password expiring in one year. Leaving
the -expire off when using Gskit versions equal to and later than 7.0.3.17
results in a password that never expires.
Note 4: Gskit Versions 7.0.3.9 and earlier do not recognize the
- -new_pw parameter. Instead, you will be prompted for the new password and then
asked to confirm the new password.
Note 5: Some customer using Windows get the following prompt when attempting
the gsk7capicmd command.
The solution is to locate this file within your gskit home and update your
Environment Variables Path to have the location to this dll. You can also
temporarily set the additional path information within an instance of the
command prompt, prior to issuing any gsk7capicmd, by executing a command like
this.
SET PATH=%PATH%;C:\[your_Gskit_Home]\BIN;C:\[your_Gskit_Home]\LIB
FAQs:
Q: What happens if I do nothing?
A: You might not notice anything on April 26, 2012, but after the web server is
restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the
web server plug-in will fail to initialize the HTTPS transports. The plug-in
will rely on HTTP (non-ssl) transports to communicate to the WebSphere
Application Server, and the plug-in log will contain error messages similar to
the following messages:
ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment
ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security
Q: Can I use the same password?
A: You can not supply the existing password and tell it to change it to that
same one. You must specify a new password.
Q: Once I change the password, what's next?
A: You should restart your web server to force it to reload the plugin-key.kdb
file.
Q: What does it mean when I see "Validity: 0" upon issuing the gsk7capicmd to
view my expiry value?
A: That indicates that the password will never expire.
Q: What if I find the password problem within my plug-in from WebSphere
Application Server Version 4.0.x?
A: The plug-in from WebSphere Application Server Version 4.0 used Gskit
Version 5. You can use the gsk5ikm GUI to change the password or use the
gsk5cmd to alter the password. If it's more convenient, you can backup and copy
the kdb file to a Gskit 7.0.4 environment and use the tools there to change the
password.
Q: How do I correct the password problem if I am running on z/OS?
A: You can use the z/OS gskkyman utility. To use this utility to display the
expiration date, issue a command similar to the following command:
gskkyman -dk -k plugin-key.kdb
To fix the expiration date, you must complete the following steps, which
includes changing the password:
1. Navigate to the location of the plugin-key.kdb file.
2. Enter gskkyman.
3. From the menu provided, choose option "3 - Change database
password".
4. Prompt: "Enter key database name (press ENTER to return to menu):"
(Enter plugin-key.kdb).
5. Prompt: "Enter database password (press ENTER to return to menu):"
(Enter WebAS).
6. Prompt: "Enter new database password (press ENTER to return to menu)
:" (Enter your new password).
7. Prompt: "Re-enter database password:" (Re-enter the password).
8. Prompt: "Enter password expiration in days (press ENTER for no
expiration):" (decide if you want this password to expire).
After the password is set, use the following command to stash the new password
to a file for the plugin to utilize the updated kdb file.
gskkyman -s -k plugin-key.kdb
Q: How do I correct the password problem if I am running on IBM i?
A: IBM i provides a utility called Digital Certificate Manager. This tool can
be used to change the password, but it does not provide a means to view the
expire value.
To view the password expiration value, copy the plugin-key.kdb file to a
distributed environment, such as Microsoft Windows, and use either iKeyman or
gsk7capicmd utilities previously described in this Flash.
To change the password, complete one of the following actions.
If you are running on IBM i V5R4, complete the following steps:
1. Start the HTTP Admin server if it is not already running:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 2. In the browser, enter the
following:
machine:2001 (enter credentials) 3. Click Digital Certificate Manager.
4. Click Select a certificate store.
5. Select Other system certificate store, and then click Continue.
6. Enter the path to the plugin-key.kdb file in the Certificate store path
and file name: field.
7. Click Reset password.
8- Enter the new password, confirm the new password, and then take the
default options:
- Automatic login
- Password does not expire
9- Click Continue.
The operation is successful if you see the message "The password has been
reset."
If you are running on IBM i V6R1or V7R1, complete the following steps:
1. Start the HTTP Admin server if it is not already running:
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 2. In the browser, enter the
following:
machine:2001 (enter credentials) 3. Expand IBM i management and click
Internet Configurations.
4. Click Digital Certificate Manager.
5. Click Select a certificate store.
6. Select Other System Certificate Store, and then click Continue.
7. Enter the path to the plugin-key.kdb file in the Certificate store
path and file name: field.
8. Click Reset password.
9. Enter the new password, confirm the new password, and then take the
default options:
- Automatic login
- Password does not expire 10. Click Continue.
The operation is successful if you see the message "The password has been
reset."
Change History
3/23/2012 Flash published
4/13/2012 FAQ's added
4/16/2012 Added information to alert customers that only HTTP transports
will be used if SSL stops working. Added additional content for z/OS and
iSeries within FAQ.
4/18/2012 Add additional FAQ information and Note 5 concerning Windows
problem.
Related information
Plugin Personal Cert will expire on April 26 2012
Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS z/OS 8.0, 7.0, 6.1, 6.0, 5.1
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT5Dwqu4yVqjM2NGpAQJnsA/6Aw/cjsrPKvWloHPd6mIhchEDYWx44qlZ
/YsxDnVM5vDWafKIhhMiBQBkisFH1M5OKQfqlT3MGEzr5ll0Y2RfhsTRV04VAUkS
1B1mrOW20s+T8b4oSBhr4Q7nLDcz2A2EXX2o9i5cKwVmdweokxOSzRctzh/mO10l
Z9a7n0POmgp9Y6/Hora822WuL6j4OmVSabpLaQnIRMjuTOhDt8RS5qGvTsLoS2Pr
ugX/L/UXHd8o/im9aeh72B42zIQLvHziIhQYc3RNUSWwm47E/zh9opoo88RCey33
PF5mEKfM/sMaMT5jxDr07KolK0h/uf9rnJPniVRWdK8RpMlMUG1SEbBVCdiPjGNX
bo8HVI5eyicFd8vX4ve7h0Fu183wa7gfNledbLRQoYnOy/x3T+4lI0BtZHjANxJQ
lsgZcv1DX2xmdbqYY+yJhTXceqi41NjpNmPlnzTH1DsbvsjSPHOPMm8V600zTuFV
YUkgvr02+rfDvfWDQzxwThm1W6gVliELkyjn2CQSXzVunGv4K85l/9eM8tPouxyl
SX6gcULohxIzJROF4ucDTRTxWIzd7AjuF/3EAidwoa19qfAsvIJodRzDccP+DTPH
q/cc6/GM27tgsXZDpYfN/r/xK6PRggHMyoPIXeg37uKI8QK8k+loI2FJgcK7FRUA
Db+WBpGxXmM=
=wBMw
-----END PGP SIGNATURE-----