Fix (APAR): PK28963 Status: Fix Release: 5.1.0.5,5.1.0.4,5.1.0.3,5.1.0.2,5.0.2.9,5.0.2.8,5.0.2.7,5.0.2.6,5.0.2.5 Operating System: AIX,HP-UX,Linux,Solaris,Windows Supersedes Fixes: PQ99537 PRE-REQUISITE FIXES: CMVC Defect: PK28963 Byte size of APAR: 6314 Date: 2006-10-24 Abstract: Under some circumstances jsp source code may be exposed. Details of how to expose jsp source code are not provided in order to limit the exposure. Description/symptom of problem: PK28963 resolves the following problem: ERROR DESCRIPTION: In some situations the source code of a JSP may be displayed. This APAR adresses one but not all of these situations. This APAR replaces PQ99537. A PQ99537 ifix was created and released with inadequate prerequisite data which prevented clients from successfully installing the ifix. This "bad ifix" was published in the document referenced below. In an attempt to correct the problem a corrected version of the ifix, named PQ99537Express, was released with updated prerequisite data and published in the same document. This version has the complete prerequisite information and will apply correctly on WebSphere ND, Base and Express V5.0. However, only the PQ99537Express version will apply to WebSphere V5.1.1.0 ND/Base. Again this is a "bad fix" due to improper and misleading naming. Ifix PQ99537 and its web page need to be removed and replaced with a new web page which provides a new ifix for WebSphere ND/Base/Express V5.0 & V5.1. The new ifix should contain the complete code contained in PQ99537Express as a single ifix. IBM - PQ99537; 5.0.2.9, 5.1.0.5, 5.1.1.3: Possible JSP source code exposure http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q 1=PQ99537&uid=swg24008814&loc=en_US&cs=utf-8&lang=en LOCAL FIX: Local workaround is to install PQ99537Express to Websphere V5.1 ND/base even though the ifix name indicates "Express". PROBLEM SUMMARY USERS AFFECTED: Users who provide a jsp for access based on file serving. PROBLEM DESCRIPTION: Under some circumstances jsp source code may be exposed. Details of how to expose jsp source code are not provided in order to limit the exposure. RECOMMENDATION: None The webcontainer may incorrectly process a request and as a result display jsp source code. This APAR replaces PQ99537. The exposure reported has been closed. However, for full security from jsp source code exposures PK23475 must also be installed. This fix was originally provided under PQ99537 but the fix provided was badly named. This APAR simply provides a repackaged version of the PQ99537 and did not require any additional code changes. PROBLEM CONCLUSION: Directions to apply fix: Fix applies to Editions: Release: 5.0 5.1 ___ X__ Application Server (Express or base) ___ Enterprise Edition (DD) ___ X__ Network Deployment (ND) ___ ___ Edge Components ___ ___ Developers Edition ___ ___ Tools ___ WebSphere Business Integration Server Foundation (WBISF) Install Fix to: Method: X_ Application Server Nodes __ Deployment Manager Nodes __ Both NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * Be logged in with the same authority level when upacking a fix, fix pack or refresh pack. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=80&uid=swg24008401 The Update Installer for V5.0 does not have a maintenance directory. It uses fixpacks and fixes as the location of the unpacked files. 1) Copy PK28963_Fix.jar file to the maintenance directory 2) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that maintenance is being applied to. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 3) Launch the Update Installer. 4) Enter the installation location of the WebSphere product you want to update. 5) Slect the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install (PK28963_Fix.jar file which was copied into the maintenance directory. 7) Install the maintenance package. 8) Restart WebSphere. Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED. * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED. * YOU MAY REAPPLY ANY REMOVED FIX. Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere. Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere instance that uninstall is being run against. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Start the Update Installer. 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation 5) Enter the file name of the manintenance package to uninstall (PK28963_Fix.jar) 6) Uninstall maintenance package. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere. It is important that you perform a controlled and complete shutdown of the server to ensure that all transactions have completed, before installing the fix. 2) Follow the instructions to apply the fix. 3) Restart WebSphere. Additional Information: This fix must be installed in conjunction with PK23475 for full protection from the jsp source code expsoure. However PK23475 may not be available for all of the same levels as this fix. As a result it will be necessary to upgrade to a level on which PK23475 is available in oder to obtain full protection.