PK00174: WEBSPHERE PORTS 1507 AND 5559 SECURITY EXPOSURE BINDING TO ZERO IP ADDRESS

APAR status
Closed as program error.

Error description
Problem Summary: WHen Dual NIC interfaces are in play, Websphere
ports bind to Zero-IP address, in this case, WEMPs ports 1507
and 5559. This is a security issue for customers.
Local fix
testfix has been provided
Problem summary
****************************************************************
* USERS AFFECTED: This problem affects customers who use the   *
*                 Embedded Messaging Server provided with      *
*                 WebSphere Application Server Version         *
*                 5.1.1.                                       *
****************************************************************
* PROBLEM DESCRIPTION: The Embedded JMS Server that ships      *
*                      with WebSphere Application Server       *
*                      Version 5.1.1.x provides a message      *
*                      broker that uses a number of ports for  *
*                      all it's communication with the         *
*                      outside world:                          *
*                                                              *
*                       1507 - The Data Replication Services   *
*                              port                            *
*                       5559 - The port used by the broker     *
*                              to listen for incoming          *
*                              requests                        *
*                                                              *
*                      These ports are all bound to the TCP/IP *
*                      address 0.0.0.0. This means that        *
*                      customers with single or multiple       *
*                      instances of WebSphere Application      *
*                      Server in multiple Network card         *
*                      scenarios would experience port         *
*                      binding failures.                       *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The problem here was caused by the fact that the ports used
by the Embedded JMS Server's message broker were never being
bound to specific TCP/IP addresses.
Problem conclusion
The fix for this APAR is currently targeted for inclusion in
the JMS Cumulative Fix 4 for WebSphere Application Server -

IC46552. This can be downloaded from the following URL:

   
https://www14.software.ibm.com/webapp/iwm/web/
      preLogin.do?source=wsmqcsd

After the Cumulative Fix has been installed, you will need to
carry out the following steps in order to bind ports 1507 and
5559 to specific TCP/IP addresses:

- When the application server has restarted, bring up the
  WebSphere Administrative Console and login.
- Expand the Servers entry in the left hand tree view, and
  click on the Application Servers link.
- The Application Servers panel will now appear, containing
  a list of application servers. Click on the entry for the
  appropriate application server.
- In the next panel, click on the Process Definition link
  within the Additional Properties table.
- The Process Definition panel should now appear. Click on
  the Java Virtual Machine link.
- In the Generic JVM arguments field, enter:

     -D-DDisthubNetAddr=x.x.x.x

  where x.x.x.x is the TCP/IP address that ports 1507 and
  5559 will be bound to.
- Click OK, and save the configuration changes.
- Logoff the Administrative Console.

- Restart the Application Server.
Temporary fix Comments
APAR information
APAR number PK00174
Reported component name WAS NETWRK DEPL
Reported component ID 5630A3601
Reported release 00I
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Special Attention NoSpecatt
Submitted date 2005-01-28
Closed date 2005-07-11
Last modified date 2005-07-11

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
MSGING          

Publications Referenced

Fix information
Fixed component name WAS NETWRK DEPL
Fixed component ID 5630A3601

Applicable component levels
R003 PSN    UP
R00A PSN    UP
R00H PSN    UP
R00I PSN    UP
R00P PSN    UP
R00S PSN    UP
R00W PSN    UP
R103 PSY    UP
R10A PSY    UP
R10H PSY    UP
R10I PSY    UP
R10P PSY    UP
R10S PSY    UP
R10W PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 00I
Software edition:
Reference #: PK00174
IBM Group: Software Group
Modified date: Jul 11, 2005