IBM Support

JR35136: CMVC 194430 - WEBSPHERE COMMERCE ENHANCEMENT TO SESSION SECURITY

Direct links to fixes

7.0.0-WS-WCServer-FP009
WebSphere Commerce Version 7.0.0.1 Fix Pack
WebSphere Commerce Version 6.0.0.10 Fix Pack
WebSphere Commerce Version 6.0.0.11 Fix Pack
WebSphere Commerce Version 7.0.0.4 Fix Pack
WebSphere Commerce Version 7.0.0.3 Fix Pack
WebSphere Commerce Version 7.0.0.5 Fix Pack
WebSphere Commerce Version 7.0.0.6 Fix Pack
WebSphere Commerce Version 7.0.0.7 Fix Pack
WebSphere Commerce Version 7.0.0.8 Fix Pack
WebSphere Commerce Version 7.0.0.9 Fix Pack
JR35136: WebSphere Commerce enhancement to session security
JR46386 - Security APAR CVE-2013-0523: Possible security vulnerability could allow disclosure of user personal data

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Websphere Commerce enhances the security in session management
by generating the session information (session cookie or URL
parameters) with a generated encryption key different from the
merchant key provided by the administrator.  This enhancement
employs separate keys for session and data encryption to improve
the overall security for WebSphere Commerce sites.

Local fix

  • 



Problem summary


    

  • USERS AFFECTED:
All WebSphere Commerce customers who wish to enhance session
security.

PROBLEM ABSTRACT:
WebSphere Commerce enhancement to session security.

BUSINESS IMPACT:
Enhance overall security of WebSphere Commerce.

RECOMMENDATION:

    



Problem conclusion


    

  • This fix introduces a new encryption key different from the
merchant key to encrypt session data.  Seperating the key to
encrypt session and database data enhances the overall security
of WebSphere Commerce.

-------------------------------------------------------------
The latest available maintenance information can be obtained
from the Recommended Fixes for WebSphere Commerce technote:
http://www.ibm.com/support/docview.wss?rs=3046&uid=swg21261296

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR35136
    • 

  • Reported component name
    WC BUS EDITION
    • 

  • Reported component ID
    5724I3800
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2009-12-15
    • 

  • Closed date
    2010-03-31
    • 

  • Last modified date
    2010-03-31
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WC BUS EDITION
    • 

  • Fixed component ID
    5724I3800
    • 



Applicable component levels


    

  • R600  PSY
       UP
    • 

  • R700  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYSYL","label":"WebSphere Commerce Enterprise"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Edition":"","Line of Business":{"code":"","label":""}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            31 March 2010
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback