Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0822
Security Vulnerabilities fixed in IBM WebSphere Application
29 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server
Publisher: IBM
Operating System: Linux variants
Windows
HP-UX
Solaris
AIX
Impact/Access: Access Confidential Data -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3325
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21609067
- --------------------------BEGIN INCLUDED TEXT--------------------
Potential security exposure with IBM WebSphere Application Server after
installing PM44303
Flash (Alert)
Abstract
After installing an Interim Fix for PM44303 or a Fix Pack containing
PM44303, there is a potential security exposure with IBM WebSphere
Application Server.
Content
Affected Versions:
The problem affects the following IBM WebSphere Application Server
Distributed platforms, i5/OS platforms, z/OS platform Versions and IBM
WebSphere Application Server Hypervisor Edition with:
* Version 6.1.0.43
* Version 7.0.0.21 through 7.0.0.23
* Version 8.0.0.2 through 8.0.0.4
* Version 8.5.0.0 (Full Profile only)
The problem does not occur on the following versions:
* Version 6.0.2
* Version 6.1.0.0 through 6.1.0.41
* Version 7.0.0.0 through 7.0.0.19
* Version 8.0.0.0 through 8.0.0.1
* Version 8.5.0.0 (Liberty Profile only)
CVE ID: CVE-2012-3325 (PM71296)
Problem Description:
If you have installed an Interim Fix for PM44303 or a Fix Pack listed
above, you have the potential for an authenticated user to bypass
security restrictions, caused by an error when validating user
credentials. This could allow a user to gain unauthorized
administrative access to an application and potentially gain access to
confidential and critical customer data.
CVSS:
CVSS Base Score: 6.0
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/77959 for the current score
CVSS Environmental Score*: undefined
CVSS String: (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Solutions:
Apply Interim Fix PM71296, or a Fix Pack containing the APAR, as noted
below.
For IBM WebSphere Application Server for distributed operating systems
and IBM WebSphere Application Server Hypervisor Edition:
For V8.5.0.0 Full Profile:
* Apply Interim Fix APAR PM71296
--OR--
* Apply Fix Pack 1 (8.5.0.1), or later (targeted to be available end
of October 2012).
For 8.0.0.2 through 8.0.0.4:
* Apply Interim Fix APAR PM71296
--OR--
* Apply Fix pack 5 (8.0.0.5) or later (targeted to be available
mid-November 2012).
For V7.0.0.21 through 7.0.0.23:
* Apply Interim Fix APAR PM71296
--OR--
* Apply Fix pack 25 (7.0.0.25) or later (targeted to be available
late September 2012).
For V6.1.0.43:
* Apply Interim Fix APAR PM71296
--OR--
* Apply Fix pack 45 (6.1.0.45) or later (targeted to be available
late September 2012).
For IBM WebSphere Application Server for i5/OS operating systems:
For V8.5.0.0 Full Profile:
* Apply Interim Fix APAR PM71296
--OR--
* Apply the WebSphere Application Server PTF group which includes Fix
Pack 1 (8.5.0.1), or later (targeted to be available end of October
2012).
For V8.0.0.2 through 8.0.0.4:
* Apply Interim Fix APAR PM71296
--OR--
* Apply the WebSphere Application Server PTF group which includes Fix
Pack 5 (8.0.0.5) or later (targeted to be available mid-November
2012).
For V7.0.0.21 through 7.0.0.23:
* Apply Interim Fix APAR PM71296
--OR--
* Apply the WebSphere Application Server PTF group which includes Fix
Pack 25 (7.0.0.25) or later (targeted to be available late
September 2012).
For V6.1.0.43:
* Apply Interim Fix APAR PM71296
--OR--
* Apply the WebSphere Application Server PTF group which includes Fix
Pack 45 (6.1.0.45) or later (targeted to be available late
September 2012).
For WebSphere Application Server for z/OS operating systems:
For V8.5.0.0 Full Profile:
* Apply Interim Fix APAR PM71296
--OR--
* Apply Fix Pack 1 (8.5.0.1), or later (targeted to be available end
of October 2012).
For V8.0.0.2 through 8.0.0.4:
* Apply Interim Fix APAR PM71296
--OR--
* Apply Fix Pack 5 (8.0.0.5) or later (targeted to be available mid
November 2012).
For z/OS operating systems Version 7 and Version 6.1
++APAR: You can apply the appropriate prebuilt ++APAR below or open
a PMR (Problem Management Record) with IBM WebSphere Application Server
for z/OS Technical support to request a custom-built ++APAR.
For V7.0.0.23:
* Download and apply ++APAR BM71296
--OR--
* Apply APAR PM71296 by installing PTFs for Fix Pack 25
(7.0.0.25) or later (targeted to be available late September 2012).
For V7.0.0.21:
* Download and apply ++APAR CM71296
--OR--
* Apply APAR PM71296 by installing PTFs for Fix Pack 25
(7.0.0.25) or later (targeted to be available late September 2012).
For V6.1.0.43:
* Download and apply ++APAR AM71462. The ++APAR AM71462 will
install for 6.1.0.43 Base Edition, or for WebSphere Application
Server V6.1 Feature Pack for EJB 3.0 on z/OS or WebSphere
Application Server V6.1 Feature Pack for Web Services on z/OS.
--OR--
* Apply APAR PM71462 by installing PTFs for Fix Pack 45
(6.1.0.45) or later (targeted to be available late September 2012).
Note: Customers that require a fix at a different WebSphere service
level not mentioned above, or those who are running with a service
level mentioned above but also have an existing ++APAR, will need to
open a PMR to work with IBM Technical Support personnel to determine
the best method for providing a fix for their system. Be prepared to
provide to IBM your current service level, and any existing ++APARs
that are already received/applied to your system.
Instructions for installing ++APARs:
1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH
1024 data set.
2. Force these DCB attributes using the following TSO FTP client
command right before the GET command:
LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0
If the ++APAR is quite large, then you can also pass along data set
allocation information on the LOCSITE command. The example below
gives the ++APAR file 300 cylinders in its primary and secondary
extents.
These numbers are just examples:
LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL
3. UNTERSE the file
4. SMP/E RECEIVE and APPLY the ++APAR
5. You must SMP/E RESTORE OFF the ++APAR before installing further
WebSphere maintenance.
Additional documentation:
For additional details and information on WebSphere Application Server
product updates:
* For Distributed, see Recommended fixes for WebSphere
Application Server.
* For i5/OS, see WebSphere Application Server for i5/OS.
* For z/OS, see WebSphere Application Server for z/OS
REFERENCES:
* Complete CVSS Guide (link
tohttp://www.first.org/cvss/cvss-guide.html)
* On-line Calculator V2 (link
to http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the
links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams
(FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry
open standard designed to convey vulnerability severity and help to
determine urgency and priority of response." IBM PROVIDES THE CVSS
SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR
POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Security
z/OS, OS/390 8.5, 8.0.0.4, 8.0.0.3, 8.0.0.2, 7.0.0.23, 7.0.0.21,
6.1.0.43
Application Servers WebSphere Application Server Hypervisor Edition
AIX, Linux 8.5, 8.0, 7.0, 6.1 All Editions
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUD24me4yVqjM2NGpAQIZ3g//VzhNhB5GHHBzVCw7GG2lBeb+i6jnTEC8
iNMsbAp7NY+8Us5lv7i4wNrJwhaKA1vYmDs5vrqiWZYb7ugAYqIOBsMKPl0a9hSe
0rVoMaVnuBqLlDi8Yyky3VUCw5ONSr7BiUiPLQE+NiVNjZMKID2qNopH5MB1Lfrt
9hjppuPp+PHfxuXJHkw3oiLpwP2FEBZdg7NvePnrbabwhxgC3xmAcBPzUfx/HzmX
gzxcjhw2p9WzDpgKchQJTL54sJWeZM6WXTbypME+42MQiPWYbPKa1oxsO5Iw5HRB
nRmGtfZiDRgcIt7wF5FXi7TAo4E9w0/GPITJwt8R9wuxX5tfwmMxv8AUy9yGqkAd
NncwPLptoDdTlNzvmuFQcIBkApQSQkIhFyXJD3QiiRn+rfOLFRNAcl8FDSqGdks2
Bx+YPlg1ZecoZPQDnI0+lQfQIA0lBFLrzPXh7zv+dKeLOTr3JxqjQe0nWIsNcDif
FCGFl7rwZ+c+KFvLohw38M5FoZYC7fpSRXuxoFjHcGRODRM4Le9+iOYFaiCv8uPI
6TbvyO769Js5bP828xZMY1MCr1LGeHEN45g3dEq/HtXNOoqiwzFYqdfOBLa9H7lB
uE+A2iLT63dGLQUVHXwfcccxl+50tRi8eyH7/CDmO0oeVKzT7TtXZmsVmENHl9Mo
RdwsHhUWoZ8=
=gqMg
-----END PGP SIGNATURE-----