Fix (APAR):  PK28963

Status:  Fix

Release:  5.1.0.5,5.1.0.4,5.1.0.3,5.1.0.2,5.0.2.9,5.0.2.8,5.0.2.7,5.0.2.6,5.0.2.5

Operating System:  AIX,HP-UX,Linux,Solaris,Windows

Supersedes Fixes:  PQ99537

PRE-REQUISITE FIXES:

CMVC Defect:  PK28963

Byte size of APAR:  6314

Date: 2006-10-24

Abstract:  Under some circumstances jsp source code may be exposed. Details of how to expose jsp source code are not provided in order to limit the exposure.

Description/symptom of problem:  
PK28963 resolves the following problem:

ERROR DESCRIPTION:                                              
In some situations the source code of a JSP may be displayed.   
This APAR adresses one but not all of these situations.         
                                                                
This APAR replaces PQ99537.                                     
                                                                
A PQ99537 ifix was created and released with inadequate         
prerequisite data which prevented clients from                  
successfully installing the ifix. This "bad ifix"               
was published in the document referenced below. In an attempt   
to correct the problem a corrected version of the ifix,         
named PQ99537Express, was released with updated prerequisite    
data and published in the same document. This version has the   
complete prerequisite information and will apply correctly      
on WebSphere ND, Base and Express V5.0. However, only the       
PQ99537Express version will apply to WebSphere V5.1.1.0         
ND/Base. Again this is a "bad fix" due to improper and          
misleading naming.                                              
                                                                
Ifix PQ99537 and its web page need to be removed and replaced   
with a new web page which provides a new ifix for               
WebSphere ND/Base/Express V5.0 & V5.1. The new ifix should      
contain the complete code contained in PQ99537Express as        
a single ifix.                                                  
                                                                
                                                                
IBM - PQ99537; 5.0.2.9, 5.1.0.5, 5.1.1.3: Possible JSP source   
code exposure                                                   
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q
1=PQ99537&uid=swg24008814&loc=en_US&cs=utf-8&lang=en            

LOCAL FIX:                                                      
Local workaround is to install PQ99537Express to Websphere V5.1 
ND/base even though the ifix name indicates "Express".          

PROBLEM SUMMARY

USERS AFFECTED:
Users who provide a jsp for access based on
file serving.

PROBLEM DESCRIPTION:
Under some circumstances jsp source
code may be exposed. Details of
how to expose jsp source code are
not provided in order to limit the
exposure.


RECOMMENDATION:
None


The webcontainer may incorrectly process a request and
as a result display jsp source code.

This APAR replaces PQ99537.

The exposure reported has been closed. However, for full
security from jsp source code exposures PK23475 must also
be installed.

This fix was originally provided under PQ99537 but the
fix provided was badly named. This APAR simply provides
a repackaged version of the PQ99537 and did not require
any additional code changes.

PROBLEM CONCLUSION:                                             


Directions to apply fix:  

  Fix applies to Editions:
    Release:
    5.0   5.1
    ___   X__ Application Server (Express or base)
    ___       Enterprise Edition (DD)
    ___   X__ Network Deployment (ND)
    ___   ___ Edge Components
    ___   ___ Developers Edition
    ___   ___ Tools
          ___ WebSphere Business Integration Server Foundation (WBISF)

  Install Fix to:
    Method:
    X_ Application Server Nodes 
    __ Deployment Manager Nodes
    __ Both

  NOTE:
    The user must:
      * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment.
      * Be logged in with the same authority level when upacking a fix, fix pack or refresh pack.

    The Update Installer can be downloaded from the following link:
      http://www.ibm.com/support/docview.wss?rs=80&uid=swg24008401

    The Update Installer for V5.0 does not have a maintenance directory.
    It uses fixpacks and fixes as the location of the unpacked files.

  1) Copy PK28963_Fix.jar file to the maintenance directory

  2) Shutdown WebSphere.
     Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the
     WebSphere instance that maintenance is being applied to.
     It is important that you perform a controlled and complete shutdown of the server to ensure
     that all transactions have completed, before installing the fix.

  3) Launch the Update Installer.

  4) Enter the installation location of the WebSphere product you want to update.

  5) Slect the "Install maintenance package" operation.

  6) Enter the file name of the maintenance package to install (PK28963_Fix.jar file which was copied 
     into the maintenance directory.

  7) Install the maintenance package.

  8) Restart WebSphere.










Directions to remove fix:  

  NOTE:
    * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment.
    * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.
    * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.
    * YOU MAY REAPPLY ANY REMOVED FIX.

  Example:  If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be
            removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.

  1) Shutdown WebSphere. 
     Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere
     instance that uninstall is being run against.
     It is important that you perform a controlled and complete shutdown of the server to ensure
     that all transactions have completed, before installing the fix.

  2) Start the Update Installer.

  3) Enter the installation location of the WebSphere product you want to remove the fix.

  4) Select "Uninstall maintenance package" operation

  5) Enter the file name of the manintenance package to uninstall (PK28963_Fix.jar)

  6) Uninstall maintenance package.

  7) Restart WebSphere









Directions to re-apply fix:  

  1) Shutdown WebSphere. 
     It is important that you perform a controlled and complete shutdown of the server to ensure
     that all transactions have completed, before installing the fix.

  2) Follow the instructions to apply the fix.

  3) Restart WebSphere.










Additional Information:  
This fix must be installed in conjunction with PK23475 for full 
protection from the jsp source code expsoure. However PK23475
may not be available for all of the same levels as this fix. As 
a result it will be necessary to upgrade to a level on which PK23475
is available in oder to obtain full protection.