PQ53048: WEBSPHERE ADMIN PASSWORD SECURITY ISSUE: PASSWORD CAN BE OBTAINED VIA SASCONFIG

APAR status
Closed as program error.

Error description
Security issue revealed in Websphere Application Server 4.0 -
Any user with the ability to submit JSP(TM) files to Websphere
4.0 can get Admin password in clear text via SASConfig.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All WebSphere Application Server users       *
*                 which have enabled security.                 *
****************************************************************
* PROBLEM DESCRIPTION: Developers could get the security       *
*                      server password.  The process involves  *
*                      deploying code, which, if the           *
*                      developers are not trusted, should be   *
*                      reviewed in any case.                   *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
Developers could get the security server password.
Problem conclusion
Mechanism for getting password was removed.
Temporary fix Comments
APAR information
APAR number PQ53048
Reported component name WEBSPHERE AE NT
Reported component ID 5630A2201
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2001-10-03
Closed date 2001-10-30
Last modified date 2003-04-24

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
SECURITY          

Fix information
Fixed component name WEBSPHERE AE NT
Fixed component ID 5630A2201

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ53048
IBM Group: Software Group
Modified date: Apr 24, 2003