Fix (APAR): PK23475 Status: Fix Releases: 6.1.0, 6.1.0.1, 6.0.0.1-6.0.2.11, 5.0 - 5.1.1.11, 4.0.5-4.0.7 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: PRE-REQUISITE FIXES: EXCLUSIVE-REQUISITE FIXES: CMVC Defect: PK23475 Byte size of APAR: Various Date: 2006/2007 Abstract: fileServingEnabled set to true for an ExtendedDocumentRoot directory leaves possibility of JSP source code exposure. Description/symptom of problem: PK23475 resolves the following problem: ERROR DESCRIPTION: Source code exposed when JSP placed outside WAR file. The problem happens when the customer maintains the jsp file outside of the WAR file using IBM extension features called ExtendedDocumentRoot with file serving enabled (as defined in the ibm-web-ext.xmi file in the WAR module). LOCAL FIX: In the interim, the customer should be able to designate separate directories or jars for JSP and fileServing extended document roots values which would resolve this. PROBLEM SUMMARY USERS AFFECTED: Customers who provide JSPs for access from an ExtendedDocumentRoot directory based on file serving (fileServingEnabled set to true). PROBLEM DESCRIPTION: fileServingEnabled set to true for an ExtendedDocumentRoot directory leaves possibility of JSP source code exposure. RECOMMENDATION: None If an extendedDocumentRoot directory is defined, fileSevingEnabled is set to true, and a JSP is stored in the ExtendedDocumentRoot directory, there is a risk that the source code of the JSP will be exposed, for example, when access to the JSP is requested from a browser based on a particular format of request and which makes use of the file serving enablement. This is potentially a security issue. The problem does not exist if fileServingEnabled is false or if an extendedDocumentRoot directory is not used. PROBLEM CONCLUSION: The code has been updated to prevent access to jsp source code from an extendedDocumentRoot directory when fileServingEnabled is set to true. The same level of checking is now performed whether a JSP is accessed from either a subdirectory of the application war directory or an extendedDocumentRoot directory with fileServingEnabled set to true. The fix for this APAR is currently targeted for inclusion in cumulative fix 5.1.1.12 and fixpacks 6.0.2.13 and 6.1.0.2. Please refer to the recommended updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix for versions 6.1.x: Fix applies to Editions: Release: 6.0 6.1 ___ X__ Application Server (Express or Base) ___ X__ Network Deployment (ND) ___ ___ WebSphere Business Integration Server Foundation (WBISF) ___ ___ Edge Components ___ ___ Developer ___ ___ Extended Deployment (XD) Install Fix To: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.1.0.0 or later of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt The update Installer can be downloaded from the following link: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24012718 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 1) Copy 6.1.0-WS-WAS-IFPK23475.pak file directly to the maintenance directory. 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (6.1.0-WS-WAS-IFPK23475.pak file which was copied into the maintenance directory). 7) Install the maintenance package. 8) Restart WebSphere. Directions to remove the fix for versions 6.1.x: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Launch the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select the "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (6.1.0-WS-WAS-IFPK23475.pak). 6) Uninstall the maintenance package. 7) Restart WebSphere. Directions to Apply the fix for versions 6.0.x Fix applies to Editions: Release: 6.0 6.1 X__ ___ Application Server (Express or Base) X__ ___ Network Deployment (ND) ___ ___ WebSphere Business Integration Server Foundation (WBISF) ___ ___ Edge Components ___ ___ Developer ___ ___ Extended Deployment (XD) Install Fix To: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.0.2.2 or later of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateInstaller/version.txt The update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg24008401 For detailed instructions on how to extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg27006162 1) Copy 6.0.x.x-WS-WAS-PK23475.pak file directly to the maintenance directory. 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (6.0.x.x-WS-WAS-PK23475.pak file which was copied into the maintenance directory). 7) Install the maintenance package. 8) Restart WebSphere. Directions to remove fix for versions 6.0.x: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Launch the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select the "Uninstall maintenance package" operation. 5) Enter the file name of the maintenance package to uninstall (6.0.x.x-WS-WAS-IFPK23475.pak). 6) Uninstall the maintenance package. 7) Restart WebSphere. Directions to apply fix for versions 5.x: Fix applies to Editions: Release: 5.0 5.1 X__ X__ Application Server (Express or base) ___ Enterprise Edition (DD) X__ X__ Network Deployment (ND) ___ ___ Edge Components ___ ___ Developers Edition ___ ___ Tools ___ WebSphere Business Integration Server Foundation (WBISF) Install Fix to: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be logged in with the same authority level when upacking a fix, fix pack or refresh pack. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=80&uid=swg24008401 The Update Installer for V5.0 does not have a maintenance directory. It uses fixpacks and fixes as the location of the unpacked files. 1) Copy 5.x.x.x-PK23475_Fix.jar file to the maintenance directory 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (5.x.x.x-PK23475_Fix.jar which was copied into the maintenance directory. 7) Install the maintenance package. 8) Restart WebSphere. Directions to remove fix for Versions 5.x : NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Start the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation 5) Enter the file name of the manintenance package to uninstall (5.x.x.x-PK23475_Fix.jar) 6) Uninstall maintenance package. 7) Restart WebSphere Directions to apply fix for versions 4.x: 1) Create temporary "fix" directory to store the jar file: AIX: /tmp/WebSphere/fix Solaris/Linux: /tmp/WebSphere/fix Windows: c:\temp\WebSphere\fix 2) Copy jar file to the directory 3) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 4) Run the jar file with the following command answering questions/prompts as they appear: java -jar 4.0.x-WS-WAS-IFPK23475_Fix.jar 5) Restart WebSphere 6) The temp directory may be removed but the jar file should be saved. Do not remove any files created and stored in the /WebSphere/AppServer/fix/ directories. These files are required if a fix is to be removed. Directions to remove fix for versions 4.x: NOTE: FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Change directory to the fix location (/WebSphere/AppServer/fix/). 2) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Run the backup jar file with the following command: java -jar 4.0.x-WS-WAS-IFPK23475_Fix_backup.jar 4) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Follow the instructions to apply the fix. 3) Restart WebSphere. Additional Information: The supplied iFix applies more generally to jsp source code exposres than the description implies.