IBM Support

PM53904: Possible security vulnerability with com.ibm.icu classes that contain a main() method

A fix is available

Interim fix 1 - Rational Application Developer for WebSphere Software, v7.5.5.5

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Abstract:

Some classes contain a main() method in JWL library which could
be a possible security vulnerability.


Problem:

A method may be leftover debug code that creates an unintended
entry point in a web application. Although this is an acceptable
practice during product development, classes that are part of a
production J2EE application should not define a main() method.
Whether this method can be remotely invoked depends on the
configuration of the J2EE
container and the application itself.

In this case the main() methods are not accessible but should be
removed as good practice.

Local fix:

There is no known workaround at this time.  Methods are not
accessible.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:                                              *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The presence of "main" methods used for testing during
development in some classes of the ICU4J library, which is
required by the IBM JSF Widgets Library (JWL) and included
in JWL projects prompts security warnings on static analysis
tools run against applications using JWL.

A careful analysis of the warnings has been conducted and
none of them present a security risk for web applications
using the ICU4J library.

    



Problem conclusion


    

  • A defect was opened to the ICU project on icu.org to address
this situation. They agreed to comment out the main classes
and the fix is included in ICU4J version 49. This version of
the icu4j library has been updated and is now used for newly
created JWL projects.

The fix for this APAR is included in Rational Application
Developer v7.5.5.5 iFix1.

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PM53904
    • 

  • Reported component name
    RATL APP DEV WI
    • 

  • Reported component ID
    5724J1901
    • 

  • Reported release
    750
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2011-12-08
    • 

  • Closed date
    2012-09-24
    • 

  • Last modified date
    2012-09-24
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    RATL APP DEV WI
    • 

  • Fixed component ID
    5724J1901
    • 



Applicable component levels


    

  • R750  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            24 September 2012
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback