PQ60064: AT CERTAIN PTF LEVELS(402)USER DEFINED PROPERTIES ARE EXPOSED AND CAUSES A SECURITY RISK. | |||||||||||||||||||||||||||||||||||||||
![]() |
|||||||||||||||||||||||||||||||||||||||
![]() APAR status Closed as program error. Error description A change in ptf levels have opened a vulnerability in security, possibly opening a backdoor for access.Local fix Problem summary **************************************************************** * USERS AFFECTED: All users of WebSphere Application Server * * using 4.0.1 client code (admin console, * * wscp, XMLConfig) against a 4.0.2 (or higher) * * level of admin server. * **************************************************************** * PROBLEM DESCRIPTION: Client program presents plain text * * display of datasource passwords. * **************************************************************** * RECOMMENDATION: * **************************************************************** This is a problem for WebSphere users of 4.0.2 or 4.0.3 admin server with a 4.0.1 client (admin console, wscp, XMLConfig). The client program will display plain text versions of the datasource passwords. This is NOT platform specific.Problem conclusion Although mixing client and server from different WAS versions is unsupported, this does present a security exposure. Since there is no control over what client version is used, a fix was made on the server side only so that encrypted (vs. plain text) datasource password is displayed. . Test fix available and will become part of PTF 4.Temporary fix Available from L2Comments
APAR is sysrouted FROM one or more of the following: APAR is sysrouted TO one or more of the following: Modules/Macros
SRLS
|
Document Information |
Product categories: Software > Application Servers >
Distributed Application & Web Servers > WebSphere Application
Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ60064
IBM Group: Software Group
Modified date: May 31, 2002
(C) Copyright IBM Corporation 2000, 2006. All Rights Reserved.