PQ79541: Security Exposure issue in WAS private HTTP header

 Fixes are available

PQ82629; 5.0.2.2: servlet context not available
PQ79541: Configuring the trusted mode to determine if administrators can
5.0.2.7: WebSphere Application Server Express 5.0.2 Cumulative Fix 7
5.0.2.12: WebSphere Application Server 5.0.2 Cumulative Fix 12
5.0.2.13: WebSphere Application Server 5.0.2 Cumulative Fix 13
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for AIX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Solaris
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for HP-UX
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Windows
5.0.2.14: WebSphere Application Server 5.0.2 Cumulative Fix 14 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Windows
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Solaris
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for AIX
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for Linux
5.0.2.15: WebSphere Application Server 5.0.2 Cumulative Fix 15 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for HP-UX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for AIX
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Solaris
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Windows
5.1.1.9: WebSphere Application Server V5.1.1 Cumulative Fix 9 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for HP-UX
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Linux
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Windows
5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for Solaris
5.0.2.8: WebSphere Application Server V5.0.2 Cumulative Fix 8
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for HP-UX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Solaris
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Windows
5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Windows
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Solaris
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for HP-UX
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for Linux
5.0.2.17: WebSphere Application Server 5.0.2 Cumulative Fix 17 for AIX



APAR status
Closed as program error.

Error description
Security exposure issue in WAS private HTTP header
Local fix Problem summary
****************************************************************
* USERS AFFECTED: Users who would like to configure the        *
*                 trusted mode of the internal Http            *
*                 Transport to determine if administrators     *
*                 can trust private HTTP headers or not.       *
****************************************************************
* PROBLEM DESCRIPTION: WebSphere Application Server has        *
*                      further tightened security by           *
*                      introducing a configuration option      *
*                      that permits administrators to          *
*                      specify if they trust private HTTP      *
*                      headers or not.                         *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
You should carefully evaluate enabling the WebSphere
Application Server internal HTTP Transport in the trusted mode
in the production environment to determine if sufficient trust
is established.
When the trusted mode is enabled, the WebSphere Application
Server internal HTTP Transport allows the assertion of the
user identity by adding the client certificate to the HTTP
header. The Web server plug-in can use this feature to support
client certificate authentication. The HTTP header does not
carry verifiable information that WebSphere Application Server
can use to determine the server identity that asserts the
client certificate. You should establish a secure
communication channel with transport level authentication
between the Web server plug-in and WebSphere Application
Server to avoid HTTP header spoofing.
Problem conclusion
You can configure the trusted mode for each HTTP port
independently and disable on any port that client machines can
access directly, both from the Internet and the Intranet.
Transports for which you set Trusted to false do not accept
client certificate assertion and return an HTTP Error 403 with
the error message similar to the following in your log file:
Requests through proxies such as the WebSphere webserver
plug-in are not permitted to this port.
The HTTP transport on port 9080 is not configured to be trusted.
Temporary fix Comments
APAR information
APAR number PQ79541
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2003-10-13
Closed date 2003-12-05
Last modified date 2003-12-05

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:
PQ81764

Modules/Macros
utils          

SRLS

Fix information

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ79541
IBM Group: Software Group
Modified date: Dec 5, 2003