PK28963; 5.1.0.5: ze - PQ99537 has incomplete prereq data
 Downloadable files
 
Abstract
Under some circumstances jsp source code may be exposed. Details of how to expose jsp source code are not provided in order to limit the exposure.
 
Download Description
PK28963 resolves the following problem:

ERROR DESCRIPTION:
In some situations the source code of a JSP may be displayed. This APAR addresses one but not all of these situations. For a full solution PK23475 must also be applied.

This APAR replaces PQ99537.

A PQ99537 Interim Fix was created and released with inadequate prerequisite data which prevented clients from successfully installing the Interim Fix This "bad Interim Fix" was published in the document referenced below. In an attempt to correct the problem a corrected version of the Interim Fix, named PQ99537 Express, was released with updated prerequisite data and published in the same document. This version has the complete prerequisite information and will apply correctly on WebSphere® Application Server ND, Base and Express V5.0. However, only the PQ99537 Express version will apply to Application Server V5.1.1.0 ND/Base. Again this is a "bad Interim Fix" due to improper and misleading naming.

Ifix PQ99537 and its web page need to be removed and replaced with a new web page which provides a new Interim Fix for Application Server ND/Base/Express version 5.0 and 5.1. The new Interim Fix should contain the complete code contained in PQ99537 Express as a single Interim Fix.


IBM - PQ99537; 5.0.2.9, 5.1.0.5, 5.1.1.3:
Possible JSP source code exposure
http://www.ibm.com/support/docview.wss?&context=SSEQTP&q1=PQ99537&uid=swg24008814&loc=en_US&cs=utf-8&lang=en

LOCAL FIX:
Local work around is to install PQ99537 Express to Application Server V5.1 ND/base even though the Interim Fix name indicates "Express".

PROBLEM SUMMARY

USERS AFFECTED:
Users who provide a jsp for access based on file serving.

PROBLEM DESCRIPTION:
Under some circumstances jsp source code may be exposed. Details of how to expose jsp source code are not provided in order to limit the exposure.


RECOMMENDATION:
None

The web container may incorrectly process a request and as a result display jsp source code.

This APAR replaces PQ99537.

The exposure reported has been closed. However, for full security from jsp source code exposures PK23475 must also be installed.

This fix was originally provided under PQ99537 but the fix provided was badly named. This APAR simply provides a repackaged version of the PQ99537 and did not require any additional code changes.

 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 7282
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PK28963_Fix 10-24-2006 US English 6314 FTP DD
 
Technical support
Contact IBM Support using ESR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PK28963, PQ99537
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Servlet Engine/Web Container
Operating system(s): Windows
Software version: 5.1.1.3
Software edition:
Reference #: 4013840
IBM Group: Software Group
Modified date: Nov 17, 2006