APAR status
Closed as program error.
Error description
When trace enabled in WebSphere, querystring parameters are
being displayed in the log file. Which may also contain
confidential information like Credit card number. Customer wants
an option to filter certain parameters to avoid displaying in
the trace file.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: WebSphere Application Server users with *
* debug level of trace enabled *
****************************************************************
* PROBLEM DESCRIPTION: When web container debug level trace *
* is enabled, post form data is logged *
* as plain text in the trace file. *
* Post form data could contain sensitive *
* client information and should be *
* protected. *
****************************************************************
* RECOMMENDATION: *
****************************************************************
For debug purposes, post form data is logged. But post
parameter values should be masked in order to hide client
sensitive information, especially in secure applications.
Problem conclusion
Logging post data may still be required for problem
determination purposes. But this fix masks post form data
(parameter values when a request is secure or if a parameter
name contains "password" (case insensitive).
There is no general way to analyze whether post data contains
sensitive data, the only assumption we can make is to protect
all secure post data and anything with "password" in the name.
request.isSecure() is used to identify whether a request is
secure.
The fix for this APAR is currently targeted for inclusion
in 5.02.12 and 5.1.1.5.
Please refer to the recommended updates page for delivery
information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix Comments
APAR information |
APAR number |
PK02063 |
Reported component name |
WAS BASE 5.0 |
Reported component ID |
5630A3600 |
Reported release |
10W |
Status |
CLOSED PER |
PE |
NoPE |
HIPER |
NoHIPER |
Special Attention |
NoSpecatt |
Submitted date |
2005-03-04 |
Closed date |
2005-05-19 |
Last modified date |
2005-05-26 |
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
Publications Referenced
|
Fix information |
Fixed component name |
WAS BASE 5.0 |
Fixed component ID |
5630A3600 |
Applicable component levels |
R003 PSY |
UP |
R00A PSY |
UP |
R00H PSY |
UP |
R00I PSY |
UP |
R00P PSY |
UP |
R00S PSY |
UP |
R00W PSY |
UP |
R103 PSY |
UP |
R10A PSY |
UP |
R10H PSY |
UP |
R10I PSY |
UP |
R10P PSY |
UP |
R10S PSY |
UP |
R10W PSY |
UP |
|