Fix (APAR): PK28963
Status: Fix
Release: 5.1.0.5,5.1.0.4,5.1.0.3,5.1.0.2,5.0.2.9,5.0.2.8,5.0.2.7,5.0.2.6,5.0.2.5
Operating System: AIX,HP-UX,Linux,Solaris,Windows
Supersedes Fixes: PQ99537
PRE-REQUISITE FIXES:
CMVC Defect: PK28963
Byte size of APAR: 6314
Date: 2006-10-24
Abstract: Under some circumstances jsp source code may be exposed. Details of how to expose jsp source code are not provided in order to limit the exposure.
Description/symptom of problem:
PK28963 resolves the following problem:
ERROR DESCRIPTION:
In some situations the source code of a JSP may be displayed.
This APAR adresses one but not all of these situations.
This APAR replaces PQ99537.
A PQ99537 ifix was created and released with inadequate
prerequisite data which prevented clients from
successfully installing the ifix. This "bad ifix"
was published in the document referenced below. In an attempt
to correct the problem a corrected version of the ifix,
named PQ99537Express, was released with updated prerequisite
data and published in the same document. This version has the
complete prerequisite information and will apply correctly
on WebSphere ND, Base and Express V5.0. However, only the
PQ99537Express version will apply to WebSphere V5.1.1.0
ND/Base. Again this is a "bad fix" due to improper and
misleading naming.
Ifix PQ99537 and its web page need to be removed and replaced
with a new web page which provides a new ifix for
WebSphere ND/Base/Express V5.0 & V5.1. The new ifix should
contain the complete code contained in PQ99537Express as
a single ifix.
IBM - PQ99537; 5.0.2.9, 5.1.0.5, 5.1.1.3: Possible JSP source
code exposure
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q
1=PQ99537&uid=swg24008814&loc=en_US&cs=utf-8&lang=en
LOCAL FIX:
Local workaround is to install PQ99537Express to Websphere V5.1
ND/base even though the ifix name indicates "Express".
PROBLEM SUMMARY
USERS AFFECTED:
Users who provide a jsp for access based on
file serving.
PROBLEM DESCRIPTION:
Under some circumstances jsp source
code may be exposed. Details of
how to expose jsp source code are
not provided in order to limit the
exposure.
RECOMMENDATION:
None
The webcontainer may incorrectly process a request and
as a result display jsp source code.
This APAR replaces PQ99537.
The exposure reported has been closed. However, for full
security from jsp source code exposures PK23475 must also
be installed.
This fix was originally provided under PQ99537 but the
fix provided was badly named. This APAR simply provides
a repackaged version of the PQ99537 and did not require
any additional code changes.
PROBLEM CONCLUSION:
Directions to apply fix:
Fix applies to Editions:
Release:
5.0 5.1
___ X__ Application Server (Express or base)
___ Enterprise Edition (DD)
___ X__ Network Deployment (ND)
___ ___ Edge Components
___ ___ Developers Edition
___ ___ Tools
___ WebSphere Business Integration Server Foundation (WBISF)
Install Fix to:
Method:
X_ Application Server Nodes
__ Deployment Manager Nodes
__ Both
NOTE:
The user must:
* Have Administrative rights in Windows, or be the Actual Root User in a UNIX environment.
* Be logged in with the same authority level when upacking a fix, fix pack or refresh pack.
The Update Installer can be downloaded from the following link:
http://www.ibm.com/support/docview.wss?rs=80&uid=swg24008401
The Update Installer for V5.0 does not have a maintenance directory.
It uses fixpacks and fixes as the location of the unpacked files.
1) Copy PK28963_Fix.jar file to the maintenance directory
2) Shutdown WebSphere.
Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the
WebSphere instance that maintenance is being applied to.
It is important that you perform a controlled and complete shutdown of the server to ensure
that all transactions have completed, before installing the fix.
3) Launch the Update Installer.
4) Enter the installation location of the WebSphere product you want to update.
5) Slect the "Install maintenance package" operation.
6) Enter the file name of the maintenance package to install (PK28963_Fix.jar file which was copied
into the maintenance directory.
7) Install the maintenance package.
8) Restart WebSphere.
Directions to remove fix:
NOTE:
* The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environment.
* FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED.
* DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED.
* YOU MAY REAPPLY ANY REMOVED FIX.
Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be
removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.
1) Shutdown WebSphere.
Manually execute setupCmdLine.bat in Windows or ../setupCmdLine.sh in UNIX from the WebSphere
instance that uninstall is being run against.
It is important that you perform a controlled and complete shutdown of the server to ensure
that all transactions have completed, before installing the fix.
2) Start the Update Installer.
3) Enter the installation location of the WebSphere product you want to remove the fix.
4) Select "Uninstall maintenance package" operation
5) Enter the file name of the manintenance package to uninstall (PK28963_Fix.jar)
6) Uninstall maintenance package.
7) Restart WebSphere
Directions to re-apply fix:
1) Shutdown WebSphere.
It is important that you perform a controlled and complete shutdown of the server to ensure
that all transactions have completed, before installing the fix.
2) Follow the instructions to apply the fix.
3) Restart WebSphere.
Additional Information:
This fix must be installed in conjunction with PK23475 for full
protection from the jsp source code expsoure. However PK23475
may not be available for all of the same levels as this fix. As
a result it will be necessary to upgrade to a level on which PK23475
is available in oder to obtain full protection.