APAR status
Closed as program error.
Error description
There was a discussion with development team on this issue and
it was concluded that monitor role should not be given
permission to do export/export DDL for an Enterprise
Application.
As of today, monitor role can export EAR file, which should not
be allowed by design.
Local fix
NA.
Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users working *
* in an environment where security is enabled. *
****************************************************************
* PROBLEM DESCRIPTION: Application Server users in monitor *
* role can export an Application or its *
* DDL or publish the WSDL file *
****************************************************************
* RECOMMENDATION: *
****************************************************************
Application Server was allowing users with monitor role to
export/exportDDL or publish WSDL for an application through
the admin console or with wsadmin.
The monitor role being the least privileged should not be
allowed to perform this activity.
Problem conclusion
Through Admin console or Wsadmin it has been uncovered that a
caller in monitor role can export application/DDL files for
application/publish WSDL files. By design, monitor role has
been configured with the least privilege where a user can only
view the WebSphere Application Server configuration and
current state of them. Allowing a monitor role to perform
the above activities is a security issue because it allows the
least previleged role to export ear files which may have
sensitive resource and property files.
Exporting an application/DDL/WSDL requires the user to have
same ACL as for install/uninstall. For this, the caller
has to be in configurator role or above.
An iFix is available for this problem.
The fix for this APAR is currently targeted for inclusion in
fixpack 5.02.10 and 5.1.1.3.
Please refer to the Recommended Updates page for delivery
dates:
http://www-1.ibm.com/support/docview.wss?
rs=180&context=SSEQTP&uid=swg27004980
Temporary fix Comments
APAR information |
APAR number |
PQ94918 |
Reported component name |
WAS NETWRK DEPL |
Reported component ID |
5630A3601 |
Reported release |
00A |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2004-09-26 |
Closed date |
2004-11-29 |
Last modified date |
2004-11-29 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
Applicable component levels |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|