Potential risk when using Web based applications on WebSphere Application Server (PK81387)

Flashes (Alerts)

Abstract

Potential risk when using Web based applications on WebSphere Application Server.

Content



	Affected versions
	Problem description
	Solutions for WebSphere Application Server for Distributed
	Solutions for WebSphere Application Server for i5/OS
	Solutions for WebSphere Application Server for z/OS
	Additional documentation

Affected versions

This problem affects the following IBM WebSphere Application Server versions:

Version 5.1 through 5.1.1.19
Version 6.0 through 6.0.2.33
Version 6.1 through 6.1.0.22
Version 7.0 through 7.0.0.1 (7.0.0.2 does not exist)

This problem does not occur on the following versions:

Version 6.0.2.35 (6.0.2.34 for WebSphere Application Server for z/OS) or later
Version 6.1.0.23 or later
Version 7.0.0.3 or later

Problem description

Customers who have Web based applications including Web services applications running on WebSphere Application Server have a risk for an attacker having the ability to remote display or execute files on the server contained within a war file, including files under the web-inf and meta-inf directories. In addition, there is a potential risk for customers who are using the WebSphere administrative console with administrative security disabled. Credit to Edward Schaller for disclosing this problem to IBM.

Solutions for WebSphere Application Server for Distributed

Apply Interim Fix APAR PK81387 or a fix pack containing this APAR.

Version 7.0

Version	Solution
7.0 through 7.0.0.1	Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 3 or later (7.0.0.3 targeted to be available late March 2009)

Version 6.1

Version	Solution
6.1.0.11 through 6.1.0.21	Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 23 or later (6.1.0.23 targeted to be available late March 2009).
6.1.0.9	If PK60256 is already installed, then Upgrade to a Fix Pack between 6.1.0.17 and 6.1.0.21, and then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 23 or later (6.1.0.23 targeted to be available late March 2009). Without PK60256 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 23 or later (6.1.0.23 targeted to be available late March 2009).
6.1.0.7	If PK31377 is already installed, then Upgrade to a Fix Pack between 6.1.0.9 and 6.1.0.21, and then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 23 or later (6.1.0.23 targeted to be available late March 2009). Without PK31377 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 23 or later (6.1.0.23 targeted to be available late March 2009).
6.1 through 6.1.0.5	Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 23 or later (6.1.0.23 targeted to be available late March 2009).

Version 6.0.2

Version	Solution
6.0.2.21 through 6.0.2.33	Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009)
6.0.2.17 through 6.0.2.19	If PK31377 is already installed, then Upgrade to a Fix Pack between 6.0.2.21 and 6.0.2.23, and then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009) Without PK31377 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009)
6.0.2.11 through 6.0.2.15	Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009)
6.0.2.9	If PK27620 is already installed, then Upgrade to a Fix Pack between 6.0.2.15 and 6.0.2.33, and then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009) Without PK27620 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009)
6.0 through 6.0.2.7	Upgrade to Refresh Pack 2 (6.0.2), if not already at that level, and then Apply Interim Fix APAR PK81387 --OR-- Apply Fix Pack 35 or later (6.0.2.35 targeted to be available early June 2009)

Version 5.1

Version	Solution
5.1 through 5.1.1.19	Apply Interim Fix APAR PK81387 Available for 5.1.1.19, 5.1.1.15 through 5.1.1.18, 5.1.1.11 through 5.1.1.14, 5.1.1.9 through 5.1.1.10, 5.1.1.6 through 5.1.1.8, 5.1.1.5, 5.1.1.4, 5.1.1.3, 5.1.1.2. 5.1.1, 5.1.0.5, 5.1.0.1 through 5.1.0.4, and 5.1 Notes: V5.1 is no longer in service (ended 29 September 2008). Additional assistance will only be provided with the purchase of a support extension unless otherwise entitled to support.

Solutions for WebSphere Application Server for i5/OS

Apply Interim Fix APAR PK81387 or a fix pack containing this APAR.

Version 7.0

Version	Solution
7.0 through 7.0.0.1	Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions (7.0.0.3 targeted to be available early April 2009)

Version 6.1

Version	Solution
6.1.0.11 through 6.1.0.21	Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions (6.1.0.23 targeted to be available late March 2009).
6.1.0.9	If PK60256 is already installed, then Apply the WebSphere Application Server PTF group which includes Fix Pack 21, according to the PTF group instructions, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.(6.1.0.23 targeted to be available late March 2009) Without PK60256 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions (6.1.0.23 targeted to be available late March 2009).
6.1.0.7	If PK31377 is already installed, Apply the WebSphere Application Server PTF group which includes Fix Pack 21, according to the PTF group instructions, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions (6.1.0.23 targeted to be available late March 2009). Without PK31377 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions (6.1.0.23 targeted to be available late March 2009).
6.1 through 6.1.0.5	Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions (6.1.0.23 targeted to be available late March 2009).

Version 6.0.2

Version	Solution
6.0.2.21 through 6.0.2.33	Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be available early June 2009).
6.0.2.17 through 6.0.2.19	If PK31377 is already installed, then Apply the WebSphere Application Server PTF group which includes Fix Pack 31, according to the PTF group instructions, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009). Without PK31377 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009).
6.0.2.11 through 6.0.2.15	Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009).
6.0.2.9	If PK27620 is already installed, then Apply the WebSphere Application Server PTF group which includes Fix Pack 31, according to the PTF group instructions, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009). Without PK27620 installed, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009).
6.0.2 through 6.0.2.7	Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009).
6.0 through 6.0.1.2	Apply the WebSphere Application Server PTF group which includes Fix Pack 31, according to the PTF group instructions, then Apply Interim Fix APAR PK81387 --OR-- Apply the WebSphere Application Server PTF group which includes Fix Pack 35, or later, according to the PTF group instructions (6.0.2.35 targeted to be early June 2009).

Version 5.1

Version	Solution
5.1 through 5.1.1.19	If not already at Fix Pack 19 (5.1.1.19), apply the WebSphere Application Server PTF group which includes Fix Pack 19, according to the PTF group instructions, then Apply the PTFs for your WebSphere Application Server edition: Base Edition: 5733W51 SI34828 and 5733W51 SI34850 Express Edition: 5722E51 SI34830 Network Deployment Edition: 5733W51 SI34829 and 5733W51 SI34852 Note: The purchase of a support extension might be required, if additional assistance is needed, unless otherwise entitled to support.

Solutions for WebSphere Application Server for z/OS

Version 7.0

Version	Solution
7.0 through 7.0.0.1	Apply APAR PK81387 (with PK81944) by installing PTFs for Fix Pack V7.0.0.3 or later, available at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS (7.0.0.3 targeted to be available for z/OS early April 2009).

Version 6.1

Version	Solution
6.1 through 6.1.0.22	Apply APAR PK81387 (with PK81212) by installing PTFs for Fix Pack V6.1.0.23 or later, available at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS (6.1.0.23 targeted to be available for z/OS late March 2009)

Version 6.0

Version	Solution
6.0 through 6.0.2.33	Apply APAR PK81387 (with PK82244) by installing PTFs for Fix Pack V6.0.2.34 or later, available at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS (6.0.2.34 targeted to be available for z/OS April 2009).

Version 5.1

Version	Solution
5.1 through W510247	++APAR PK81387 on W510247 available upon request only. Notes: V5.1 is no longer in service (ended 29 September 2008). Additional assistance will only be provided with the purchase of a support extension.

Additional documentation

For additional details and information on WebSphere Application Server product updates:

For Distributed, see Recommended fixes for WebSphere Application Server
For i5/OS, see WebSphere Application Server for i5/OS
For z/OS, see WebSphere Application Server for z/OS

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;6.1;6.0;5.1.1;5.1","Edition":"Advanced;Base;Developer;Enterprise;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Security","Platform":[{"code":"","label":"OS\/390"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0;6.1;6.0;5.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSZPYC","label":"Solution for Compliance in a Regulated Environment (SCORE)"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"5.1.2;5.1.3;5.1.3.1;5.1.3.2;6.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Tips

Potential risk when using Web based applications on WebSphere Application Server (PK81387)

Flashes (Alerts)

Abstract

Content

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?