Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0822 Security Vulnerabilities fixed in IBM WebSphere Application 29 August 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: Linux variants Windows HP-UX Solaris AIX Impact/Access: Access Confidential Data -- Existing Account Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-3325 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21609067 - --------------------------BEGIN INCLUDED TEXT-------------------- Potential security exposure with IBM WebSphere Application Server after installing PM44303 Flash (Alert) Abstract After installing an Interim Fix for PM44303 or a Fix Pack containing PM44303, there is a potential security exposure with IBM WebSphere Application Server. Content Affected Versions: The problem affects the following IBM WebSphere Application Server Distributed platforms, i5/OS platforms, z/OS platform Versions and IBM WebSphere Application Server Hypervisor Edition with: * Version 6.1.0.43 * Version 7.0.0.21 through 7.0.0.23 * Version 8.0.0.2 through 8.0.0.4 * Version 8.5.0.0 (Full Profile only) The problem does not occur on the following versions: * Version 6.0.2 * Version 6.1.0.0 through 6.1.0.41 * Version 7.0.0.0 through 7.0.0.19 * Version 8.0.0.0 through 8.0.0.1 * Version 8.5.0.0 (Liberty Profile only) CVE ID: CVE-2012-3325 (PM71296) Problem Description: If you have installed an Interim Fix for PM44303 or a Fix Pack listed above, you have the potential for an authenticated user to bypass security restrictions, caused by an error when validating user credentials. This could allow a user to gain unauthorized administrative access to an application and potentially gain access to confidential and critical customer data. CVSS: CVSS Base Score: 6.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77959 for the current score CVSS Environmental Score*: undefined CVSS String: (AV:N/AC:M/Au:S/C:P/I:P/A:P) Solutions: Apply Interim Fix PM71296, or a Fix Pack containing the APAR, as noted below. For IBM WebSphere Application Server for distributed operating systems and IBM WebSphere Application Server Hypervisor Edition: For V8.5.0.0 Full Profile: * Apply Interim Fix APAR PM71296 --OR-- * Apply Fix Pack 1 (8.5.0.1), or later (targeted to be available end of October 2012). For 8.0.0.2 through 8.0.0.4: * Apply Interim Fix APAR PM71296 --OR-- * Apply Fix pack 5 (8.0.0.5) or later (targeted to be available mid-November 2012). For V7.0.0.21 through 7.0.0.23: * Apply Interim Fix APAR PM71296 --OR-- * Apply Fix pack 25 (7.0.0.25) or later (targeted to be available late September 2012). For V6.1.0.43: * Apply Interim Fix APAR PM71296 --OR-- * Apply Fix pack 45 (6.1.0.45) or later (targeted to be available late September 2012). For IBM WebSphere Application Server for i5/OS operating systems: For V8.5.0.0 Full Profile: * Apply Interim Fix APAR PM71296 --OR-- * Apply the WebSphere Application Server PTF group which includes Fix Pack 1 (8.5.0.1), or later (targeted to be available end of October 2012). For V8.0.0.2 through 8.0.0.4: * Apply Interim Fix APAR PM71296 --OR-- * Apply the WebSphere Application Server PTF group which includes Fix Pack 5 (8.0.0.5) or later (targeted to be available mid-November 2012). For V7.0.0.21 through 7.0.0.23: * Apply Interim Fix APAR PM71296 --OR-- * Apply the WebSphere Application Server PTF group which includes Fix Pack 25 (7.0.0.25) or later (targeted to be available late September 2012). For V6.1.0.43: * Apply Interim Fix APAR PM71296 --OR-- * Apply the WebSphere Application Server PTF group which includes Fix Pack 45 (6.1.0.45) or later (targeted to be available late September 2012). For WebSphere Application Server for z/OS operating systems: For V8.5.0.0 Full Profile: * Apply Interim Fix APAR PM71296 --OR-- * Apply Fix Pack 1 (8.5.0.1), or later (targeted to be available end of October 2012). For V8.0.0.2 through 8.0.0.4: * Apply Interim Fix APAR PM71296 --OR-- * Apply Fix Pack 5 (8.0.0.5) or later (targeted to be available mid November 2012). For z/OS operating systems Version 7 and Version 6.1 ++APAR: You can apply the appropriate prebuilt ++APAR below or open a PMR (Problem Management Record) with IBM WebSphere Application Server for z/OS Technical support to request a custom-built ++APAR. For V7.0.0.23: * Download and apply ++APAR BM71296 --OR-- * Apply APAR PM71296 by installing PTFs for Fix Pack 25 (7.0.0.25) or later (targeted to be available late September 2012). For V7.0.0.21: * Download and apply ++APAR CM71296 --OR-- * Apply APAR PM71296 by installing PTFs for Fix Pack 25 (7.0.0.25) or later (targeted to be available late September 2012). For V6.1.0.43: * Download and apply ++APAR AM71462. The ++APAR AM71462 will install for 6.1.0.43 Base Edition, or for WebSphere Application Server V6.1 Feature Pack for EJB 3.0 on z/OS or WebSphere Application Server V6.1 Feature Pack for Web Services on z/OS. --OR-- * Apply APAR PM71462 by installing PTFs for Fix Pack 45 (6.1.0.45) or later (targeted to be available late September 2012). Note: Customers that require a fix at a different WebSphere service level not mentioned above, or those who are running with a service level mentioned above but also have an existing ++APAR, will need to open a PMR to work with IBM Technical Support personnel to determine the best method for providing a fix for their system. Be prepared to provide to IBM your current service level, and any existing ++APARs that are already received/applied to your system. Instructions for installing ++APARs: 1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH 1024 data set. 2. Force these DCB attributes using the following TSO FTP client command right before the GET command: LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 If the ++APAR is quite large, then you can also pass along data set allocation information on the LOCSITE command. The example below gives the ++APAR file 300 cylinders in its primary and secondary extents. These numbers are just examples: LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL 3. UNTERSE the file 4. SMP/E RECEIVE and APPLY the ++APAR 5. You must SMP/E RESTORE OFF the ++APAR before installing further WebSphere maintenance. Additional documentation: For additional details and information on WebSphere Application Server product updates: * For Distributed, see Recommended fixes for WebSphere Application Server. * For i5/OS, see WebSphere Application Server for i5/OS. * For z/OS, see WebSphere Application Server for z/OS REFERENCES: * Complete CVSS Guide (link tohttp://www.first.org/cvss/cvss-guide.html) * On-line Calculator V2 (link to http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2) *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Edition Application Servers WebSphere Application Server for z/OS Security z/OS, OS/390 8.5, 8.0.0.4, 8.0.0.3, 8.0.0.2, 7.0.0.23, 7.0.0.21, 6.1.0.43 Application Servers WebSphere Application Server Hypervisor Edition AIX, Linux 8.5, 8.0, 7.0, 6.1 All Editions - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUD24me4yVqjM2NGpAQIZ3g//VzhNhB5GHHBzVCw7GG2lBeb+i6jnTEC8 iNMsbAp7NY+8Us5lv7i4wNrJwhaKA1vYmDs5vrqiWZYb7ugAYqIOBsMKPl0a9hSe 0rVoMaVnuBqLlDi8Yyky3VUCw5ONSr7BiUiPLQE+NiVNjZMKID2qNopH5MB1Lfrt 9hjppuPp+PHfxuXJHkw3oiLpwP2FEBZdg7NvePnrbabwhxgC3xmAcBPzUfx/HzmX gzxcjhw2p9WzDpgKchQJTL54sJWeZM6WXTbypME+42MQiPWYbPKa1oxsO5Iw5HRB nRmGtfZiDRgcIt7wF5FXi7TAo4E9w0/GPITJwt8R9wuxX5tfwmMxv8AUy9yGqkAd NncwPLptoDdTlNzvmuFQcIBkApQSQkIhFyXJD3QiiRn+rfOLFRNAcl8FDSqGdks2 Bx+YPlg1ZecoZPQDnI0+lQfQIA0lBFLrzPXh7zv+dKeLOTr3JxqjQe0nWIsNcDif FCGFl7rwZ+c+KFvLohw38M5FoZYC7fpSRXuxoFjHcGRODRM4Le9+iOYFaiCv8uPI 6TbvyO769Js5bP828xZMY1MCr1LGeHEN45g3dEq/HtXNOoqiwzFYqdfOBLa9H7lB uE+A2iLT63dGLQUVHXwfcccxl+50tRi8eyH7/CDmO0oeVKzT7TtXZmsVmENHl9Mo RdwsHhUWoZ8= =gqMg -----END PGP SIGNATURE-----