Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0391 Password to the plugin-key.kdb file expires on April 26, 2012 US EDT 20 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebSphere Application Server Publisher: IBM Operating System: z/OS Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2162 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21588312 - --------------------------BEGIN INCLUDED TEXT-------------------- Password to the plugin-key.kdb file expires on April 26, 2012 US EDT Flash (Alert) Abstract The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. This file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server. Content CVE-2012-2162 If you are using the WebSphere Key and Certificate Management generated plug-in key store you are NOT affected. If, however, you are using the key store installed by default with the Web Server Plug-in for WebSphere Application Server and you have NEVER changed the key store's password, then you must change the plug-in key store's password, which removes the pending password expiration, to avoid a security exposure. Generally, as a best practice, IBM recommends you always change passwords from the default value to enhance the security of your system. In reference to this specific security exposure concern, a majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this issue. Versions affected: All versions of WebSphere Application Server for Distributed, IBM i, and z/OS operating systems (e.g., Version 8.0 and earlier) have the potential to be affected. Note: Versions 6.0 and earlier are no longer in service. The purchase of a support extension might be required, if additional assistance is needed, unless you are otherwise entitled to support. Problem Description: CVSS: CVSS: CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74900 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P) The following is the description of the mode of failure which will occur after the plug-in's key store password expiration date, however it ONLY applies to users with affected web servers who have NOT taken the prescribed action. The WebSphere Application Server web server plug-in (web server plug-in) comes with a plugin-key.kdb file upon installation. The default password of WebAS is set to expire by April 26, 2012 US EDT. Note: This is a separate issue, with different assessment required, from the previously posted flash titled "WebSphere Plugin personal certificate expiration issue", posted on February 6, 2012. After the password expiration date passes, the next time the web server running the web server plug-in is restarted, or the next time the plugin-cfg.xml is modified, the HTTPS (SSL) connectivity between the web server plug-in and the WebSphere Application Server might fail or revert to a non-SSL function and will not be encrypted. This has no affect on the connection between the client (browser) and the web server that do not use the plugin-key.kdb for their certificate exchange. Only connections between the web server plug-in and the WebSphere Application Server will have the problem. For systems that use this file for their web server security, corrective action will need to taken as outlined in this Flash. In some less common configurations, in which HTTP transports have been explicitly disabled, blocked, or removed, the web server plug-in will fail to forward the incoming requests returning an immediate error (HTTP 500 -- Internal Server Error). Solution: The following section describes how to correct the expiring password problem if you are running WebSphere Application Server on a distributed operating system. If you are running WebSphere Application Server on a z/OS or IBM i operating system, refer to the FAQ section of this Flash for a description of how to correct the expiring password problem for those environments. For IBM HTTP Sever Versions 7.0 and 8.0, to determine if the password being used on your system expires on April 26, 2012, launch the HTTP Server iKeyman, and load the plugin-key.kdb file from either of the two previously mentioned directory locations. - From the "Key Database File" menu, select "Display Password Expiry". The resulting pop-up will state that the password never expires, or will specify the specific date on which the password expires. If the password expires on April 26, 2012, select "Change Password" from the "Key Database File" menu. In the Password Prompt pop-up, specify the same password or a new password, and select Expiration time if you want the password to expire after a specific number of days. If you do not select Expiration time, the password never expires. You MUST also select "Stash password to a file" before you click OK. This setting is critical for the plug-in binary to be able to use the kdb file. ================================================================= For IBM HTTP Server Versions 6.0 or 6.1, issue the gsk7capicmd command to determine if the password being used on your system expires on April 26, 2012. This command is located in your [gsk_root]/bin directory. gsk7capicmd -keydb -expiry -db "C:\temp\plugin-key.kdb" -pw WebAS The resulting output indicates the expiration date for the password: For example, the following output indicates that the password expires on April 26, 2012 at 11:20:31 AM EDT: Validity: Thursday, 26 April 2012 11:20:31 AM Eastern Daylight Time Issue a gsk7 command, similar to the following command, to change the password that is expiring: gsk7capicmd -keydb -changepw -pw xxxx -new_pw yyyy -stash -db plugin - -key.kdb If you want to the new password to expire after a specific number of days, add - -expire to the gsk7capicmd command line and specify the number of days for which you want the new password to be valid. Note 1: IMPORTANT: Setting the -expire parameter to 0 means that the password associated with the key database does not expire. Note 2: Gskit versions prior to 7.0.3.17 do not recognize the -expire parameter. If you are using one of these prior Gskit versions, you must upgrade to the latest Gskit 7.0.4.x version. Fix Pack 17 for IHS V6.1 (V6.1.0.17) and Fix Pack 27 for IHS V6.0.2 (V6.0.2.27) can upgrade the GSKit to V7.0.4.14 http://www.ibm.com/support/docview.wss?uid=swg27008517#61017 http://www.ibm.com/support/docview.wss?uid=swg27007033#60227 Or the customer can upgrade their system wide GSKit from the link in the following page. http://www.ibm.com/support/docview.wss?uid=swg24026884 Note 3: There is a behavior difference between Gskit 7.0.3.x and 7.0.4.x when using these commands. Leaving the -expire off when using Gskit 7.0.4 results in a password that never expires. Leaving the -expire off when using Gskit versions prior to 7.0.3.17 results in a password expiring in one year. Leaving the -expire off when using Gskit versions equal to and later than 7.0.3.17 results in a password that never expires. Note 4: Gskit Versions 7.0.3.9 and earlier do not recognize the - -new_pw parameter. Instead, you will be prompted for the new password and then asked to confirm the new password. Note 5: Some customer using Windows get the following prompt when attempting the gsk7capicmd command. The solution is to locate this file within your gskit home and update your Environment Variables Path to have the location to this dll. You can also temporarily set the additional path information within an instance of the command prompt, prior to issuing any gsk7capicmd, by executing a command like this. SET PATH=%PATH%;C:\[your_Gskit_Home]\BIN;C:\[your_Gskit_Home]\LIB FAQs: Q: What happens if I do nothing? A: You might not notice anything on April 26, 2012, but after the web server is restarted or it loads a new copy of the plugin-cfg.xml due to propagation, the web server plug-in will fail to initialize the HTTPS transports. The plug-in will rely on HTTP (non-ssl) transports to communicate to the WebSphere Application Server, and the plug-in log will contain error messages similar to the following messages: ERROR: lib_security: initializeSecurity: Failed to initialize GSK environment ERROR: ws_transport: transportInitializeSecurity: Failed to initialize security Q: Can I use the same password? A: You can not supply the existing password and tell it to change it to that same one. You must specify a new password. Q: Once I change the password, what's next? A: You should restart your web server to force it to reload the plugin-key.kdb file. Q: What does it mean when I see "Validity: 0" upon issuing the gsk7capicmd to view my expiry value? A: That indicates that the password will never expire. Q: What if I find the password problem within my plug-in from WebSphere Application Server Version 4.0.x? A: The plug-in from WebSphere Application Server Version 4.0 used Gskit Version 5. You can use the gsk5ikm GUI to change the password or use the gsk5cmd to alter the password. If it's more convenient, you can backup and copy the kdb file to a Gskit 7.0.4 environment and use the tools there to change the password. Q: How do I correct the password problem if I am running on z/OS? A: You can use the z/OS gskkyman utility. To use this utility to display the expiration date, issue a command similar to the following command: gskkyman -dk -k plugin-key.kdb To fix the expiration date, you must complete the following steps, which includes changing the password: 1. Navigate to the location of the plugin-key.kdb file. 2. Enter gskkyman. 3. From the menu provided, choose option "3 - Change database password". 4. Prompt: "Enter key database name (press ENTER to return to menu):" (Enter plugin-key.kdb). 5. Prompt: "Enter database password (press ENTER to return to menu):" (Enter WebAS). 6. Prompt: "Enter new database password (press ENTER to return to menu) :" (Enter your new password). 7. Prompt: "Re-enter database password:" (Re-enter the password). 8. Prompt: "Enter password expiration in days (press ENTER for no expiration):" (decide if you want this password to expire). After the password is set, use the following command to stash the new password to a file for the plugin to utilize the updated kdb file. gskkyman -s -k plugin-key.kdb Q: How do I correct the password problem if I am running on IBM i? A: IBM i provides a utility called Digital Certificate Manager. This tool can be used to change the password, but it does not provide a means to view the expire value. To view the password expiration value, copy the plugin-key.kdb file to a distributed environment, such as Microsoft Windows, and use either iKeyman or gsk7capicmd utilities previously described in this Flash. To change the password, complete one of the following actions. If you are running on IBM i V5R4, complete the following steps: 1. Start the HTTP Admin server if it is not already running: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 2. In the browser, enter the following: machine:2001 (enter credentials) 3. Click Digital Certificate Manager. 4. Click Select a certificate store. 5. Select Other system certificate store, and then click Continue. 6. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field. 7. Click Reset password. 8- Enter the new password, confirm the new password, and then take the default options: - Automatic login - Password does not expire 9- Click Continue. The operation is successful if you see the message "The password has been reset." If you are running on IBM i V6R1or V7R1, complete the following steps: 1. Start the HTTP Admin server if it is not already running: STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN) 2. In the browser, enter the following: machine:2001 (enter credentials) 3. Expand IBM i management and click Internet Configurations. 4. Click Digital Certificate Manager. 5. Click Select a certificate store. 6. Select Other System Certificate Store, and then click Continue. 7. Enter the path to the plugin-key.kdb file in the Certificate store path and file name: field. 8. Click Reset password. 9. Enter the new password, confirm the new password, and then take the default options: - Automatic login - Password does not expire 10. Click Continue. The operation is successful if you see the message "The password has been reset." Change History 3/23/2012 Flash published 4/13/2012 FAQ's added 4/16/2012 Added information to alert customers that only HTTP transports will be used if SSL stops working. Added additional content for z/OS and iSeries within FAQ. 4/18/2012 Add additional FAQ information and Note 5 concerning Windows problem. Related information Plugin Personal Cert will expire on April 26 2012 Cross reference information Segment Product Component Platform Version Edition Application Servers WebSphere Application Server for z/OS z/OS 8.0, 7.0, 6.1, 6.0, 5.1 Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT5Dwqu4yVqjM2NGpAQJnsA/6Aw/cjsrPKvWloHPd6mIhchEDYWx44qlZ /YsxDnVM5vDWafKIhhMiBQBkisFH1M5OKQfqlT3MGEzr5ll0Y2RfhsTRV04VAUkS 1B1mrOW20s+T8b4oSBhr4Q7nLDcz2A2EXX2o9i5cKwVmdweokxOSzRctzh/mO10l Z9a7n0POmgp9Y6/Hora822WuL6j4OmVSabpLaQnIRMjuTOhDt8RS5qGvTsLoS2Pr ugX/L/UXHd8o/im9aeh72B42zIQLvHziIhQYc3RNUSWwm47E/zh9opoo88RCey33 PF5mEKfM/sMaMT5jxDr07KolK0h/uf9rnJPniVRWdK8RpMlMUG1SEbBVCdiPjGNX bo8HVI5eyicFd8vX4ve7h0Fu183wa7gfNledbLRQoYnOy/x3T+4lI0BtZHjANxJQ lsgZcv1DX2xmdbqYY+yJhTXceqi41NjpNmPlnzTH1DsbvsjSPHOPMm8V600zTuFV YUkgvr02+rfDvfWDQzxwThm1W6gVliELkyjn2CQSXzVunGv4K85l/9eM8tPouxyl SX6gcULohxIzJROF4ucDTRTxWIzd7AjuF/3EAidwoa19qfAsvIJodRzDccP+DTPH q/cc6/GM27tgsXZDpYfN/r/xK6PRggHMyoPIXeg37uKI8QK8k+loI2FJgcK7FRUA Db+WBpGxXmM= =wBMw -----END PGP SIGNATURE-----