PK28963; 5.1.0.5: ze - PQ99537 has incomplete prereq
data
Downloadable files
Abstract
Under some circumstances jsp source code may be exposed.
Details of how to expose jsp source code are not provided in order to
limit the exposure.
Download Description
PK28963 resolves the following problem:
ERROR DESCRIPTION:
In some situations the source code of a JSP may be displayed. This APAR
addresses one but not all of these situations. For a full solution PK23475
must also be applied.
This APAR replaces PQ99537.
A PQ99537 Interim Fix was created and released with inadequate
prerequisite data which prevented clients from successfully installing the
Interim Fix This "bad Interim Fix" was published in the document
referenced below. In an attempt to correct the problem a corrected version
of the Interim Fix, named PQ99537 Express, was released with updated
prerequisite data and published in the same document. This version has the
complete prerequisite information and will apply correctly on WebSphere®
Application Server ND, Base and Express V5.0. However, only the PQ99537
Express version will apply to Application Server V5.1.1.0 ND/Base. Again
this is a "bad Interim Fix" due to improper and misleading naming.
Ifix PQ99537 and its web page need to be removed and replaced with a new
web page which provides a new Interim Fix for Application Server
ND/Base/Express version 5.0 and 5.1. The new Interim Fix should contain
the complete code contained in PQ99537 Express as a single Interim Fix.
LOCAL FIX:
Local work around is to install PQ99537 Express to Application Server V5.1
ND/base even though the Interim Fix name indicates "Express".
PROBLEM SUMMARY
USERS AFFECTED:
Users who provide a jsp for access based on file serving.
PROBLEM DESCRIPTION:
Under some circumstances jsp source code may be exposed. Details of how to
expose jsp source code are not provided in order to limit the exposure.
RECOMMENDATION:
None
The web container may incorrectly process a request and as a result
display jsp source code.
This APAR replaces PQ99537.
The exposure reported has been closed. However, for full security from jsp
source code exposures PK23475 must also be installed.
This fix was originally provided under PQ99537 but the fix provided was
badly named. This APAR simply provides a repackaged version of the PQ99537
and did not require any additional code changes.
Prerequisites
Please download the UpdateInstaller below to install this fix.