PQ60064: AT CERTAIN PTF LEVELS(402)USER DEFINED PROPERTIES ARE EXPOSED AND CAUSES A SECURITY RISK.

 A fix is available

System Management Component Cumulative Fix for 4.0.2/4.0.3/4.0.4 /4.0.5



APAR status
Closed as program error.

Error description
A change in ptf levels have opened a vulnerability in security,
possibly opening a backdoor for access.
Local fix Problem summary
****************************************************************
* USERS AFFECTED: All users of WebSphere Application Server    *
*                 using 4.0.1 client code (admin console,      *
*                 wscp, XMLConfig) against a 4.0.2 (or higher) *
*                 level of admin server.                       *
****************************************************************
* PROBLEM DESCRIPTION: Client program presents plain text      *
*                      display of datasource passwords.        *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
This is a problem for WebSphere users of 4.0.2 or 4.0.3
admin server with a 4.0.1 client (admin console, wscp,
XMLConfig).  The client program will display plain text
versions of the datasource passwords.  This is NOT platform
specific.
Problem conclusion
Although mixing client and server from different WAS versions
is unsupported, this does present a security exposure.  Since
there is no control over what client version is used, a fix
was made on the server side only so that encrypted (vs.
plain text) datasource password is displayed.
.
Test fix available and will become part of PTF 4.
Temporary fix
Available from L2
Comments
APAR information
APAR number PQ60064
Reported component name WEBSPHERE AE AI
Reported component ID 5630A2200
Reported release 400
Status CLOSED PER
PE NoPE
HIPER NoHIPER
Submitted date 2002-04-12
Closed date 2002-05-31
Last modified date 2002-05-31

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros
ADMIN          

SRLS

Fix information
Fixed component name WEBSPHERE AE AI
Fixed component ID 5630A2200

Applicable component levels
R400 PSY    UP


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > General
Operating system(s):
Software version: 400
Software edition:
Reference #: PQ60064
IBM Group: Software Group
Modified date: May 31, 2002