IBM Support

PI99445: SECURITY SCAN OF MOBILEFIRST DETECTED A USE OF HARD-CODED PASSWORD

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Product components impacted: MobileFirst Android and Cordova
    JSONStore SDKs
    Mobile Devices Operating Systems impacted: Android
    User roles impacted: Developer
    Distribution: Fix Central
    Versions affected: 8.0
    There is a vulnerability in MFP v8.0 in regards to use of
    Hard-coded Password in MobileFirst code:
    password = "a23456790112345b";
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:                                              *
    * Developers of Mobile First apps for Android & Cordova using  *
    * JSONStore                                                    *
    ****************************************************************
    * PROBLEM DESCRIPTION:                                         *
    * Security scan of a MobileFirst app using the JSONStore SDK   *
    * detected a use of hard coded  password.This is seen only in  *
    * Android. For more details                                    *
    * https://cwe.mitre.org/data/definitions/259.html              *
    * Although this is a false positive since the password is not  *
    * used to protect any data, this string has been removed from  *
    * the code.                                                    *
    ****************************************************************
    * RECOMMENDATION:                                              *
    * -                                                            *
    ****************************************************************
    

Problem conclusion

  • Fixed the false positive report of a hard-coded password by
    removing the string from the code
    

Temporary fix

Comments

APAR Information

  • APAR number

    PI99445

  • Reported component name

    MOBILE1ST PF EN

  • Reported component ID

    5725I4300

  • Reported release

    800

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-06-21

  • Closed date

    2018-07-26

  • Last modified date

    2018-07-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    MOBILE1ST PF EN

  • Fixed component ID

    5725I4300

Applicable component levels

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"800","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}}]

Document Information

Modified date:
26 July 2018