IBM Support

PK52059; Potential security exposure with serveservletsbyclassnameenabled

Download


Abstract

Possible security exposure with SERVESERVLETSBYCLASSNAMEENABLED on IBM® WebSphere® Application Server V6.0. and 6.1.

Download Description

PK52059 resolves the following problem:

ERROR DESCRIPTION:
There is a possible security exposure with the serveServletsByClassnameEnabled feature which is available to be set at the application level.

LOCAL FIX:
Disable serveServletsByClassnameEnabled feature for each web application installed on a server.

PROBLEM SUMMARY

USERS AFFECTED:
All users of WebSphere Application Server versions 6.0 through 6.0.2.25 and 6.1 through 6.1.0.14 for Distributed, i5/OS® and z/OS®. This problem does not occur on versions 4.0, 5.0, and 5.1.

PROBLEM DESCRIPTION:

There is a possible security exposure with the serveServletsByClassnameEnabled feature. This feature is available to be set at the application level.

RECOMMENDATION:
None

PROBLEM CONCLUSION:
The security exposure has been closed and two new webcontainer custom properties have been introduced:


Property Name: com.ibm.ws.webcontainer.disallowserveservletsbyclassname

Description: If set to true, disallows the use of serveServletsByClassnameEnabled at the application server level, overriding any setting of serveServletsByClassnameEnabled at the application level.
Values: true/false(default)


Property Name: com.ibm.ws.webcontainer.donotservebyclassname
Description: A semi-colon delimited list of classes to be disallowed from being served by class name.
Values: String, such as com.ibm.BlckedClass1;com.ibm.BlckedClass2;com.ibm.BlckedClass3

Note: This property will not be applied if the new custom property com.ibm.ws.webcontainer.disallowserveservletsbyclassname is set to true, and will override any enablement of serveServletsByClassnameEnabled for the application which provides the classes to be blocked.

Note: after applying this fix, to enable the serving of servlets by class name the new custom property com.ibm.ws.webcontainer.disallowserveservletsbyclassname must be set to false (default) and serveServletsByClassnameEnabled must be enabled for the application which provides the classes to be served.

Please refer to the following technote for instructions on enabling WebContainer custom properties:
http://www.ibm.com/support/docview.wss?rss=180&uid=swg21284395

To apply the fix:



For versions 6.1.0.9 through 6.1.0.13:
Apply Interim Fix 6.1.0.9-WS-WAS-IFPK52059.pak

For versions 6.1.0.2 through 6.1.0.7:
Apply Interim Fix 6.1.0.2-WS-WAS-IFPK52059.pak

For versions 6.1 through 6.1.0.1:
Apply Interim Fix 6.1.0.0-WS-WAS-IFPK52059.pak

For version 6.0.2.25:
Apply Interim Fix 6.0.2.25-WS-WAS-IFPK52059.pak

For versions 6.0.2.13 through 6.0.2.23:


Apply Pre-requisite Fix PK54499:
http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24017926
Then, apply Interim Fix 6.0.2.13-WS-WAS-IFPK52059.pak

For versions 6.0.2.9 through 6.0.2.11:
Apply Interim Fix 6.0.2.9-WS-WAS-IFPK52059.pak

For versions 6.0.2.5 through 6.0.2.7:
Apply Interim Fix 6.0.2.5-WS-WAS-IFPK52059.pak

For versions 6.0.2 through 6.0.2.3:
Apply Interim Fix 6.0.2.0-WS-WAS-IFPK52059.pak

For versions 6.0.1 through 6.0.1.2:
Apply Interim Fix 6.0.1.0-WS-WAS-IFPK52059.pak

For versions 6.0 through 6.0.0.3:
Apply Interim Fix 6.0.0.0-WS-WAS-IFPK52059.pak


The fix for this APAR is currently targeted for inclusion in Fix Packs 5.1.1.18, 6.0.2.27, 6.1.0.15. However, note that for Fix Pack 5.1.1.18, the fix is only included in order to provide the two new webcontainer custom properties and is not required to fix a security vulnerability.

Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"5841","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK52059/readme.txt"}]

Download Package

Download package
What is Fix Central (FC)?
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
6.1.0.9-WS-WAS-IFPK520591/9/2008US English18221FCFTPDD
6.1.0.2-WS-WAS-IFPK520591/9/2008US English18097FCFTPDD
6.1.0.0-WS-WAS-IFPK520591/9/2008US English18094FCFTPDD
6.0.2.25-WS-WAS-IFPK520591/9/2008US English16592FCFTPDD
6.0.2.13-WS-WAS-IFPK520592/8/2008US English16210FCFTPDD
6.0.2.9-WS-WAS-IFPK520591/9/2008US English16422FCFTPDD
6.0.2.5-WS-WAS-IFPK520591/9/2008US English15278FCFTPDD
6.0.2.0-WS-WAS-IFPK520591/9/2008US English15120FCFTPDD
6.0.1.0-WS-WAS-IFPK520591/9/2008US English15042FCFTPDD
6.0.0.0-WS-WAS-IFPK520591/9/2008US English14956FCFTPDD

On
[{"DNLabel":"6.1.0.9-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"18221","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.1.0.2-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"18097","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.1.0.0-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"18094","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.25-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"16592","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.13-WS-WAS-IFPK52059","DNDate":"2/8/2008","DNLang":"US English","DNSize":"16210","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.9-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"16422","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.5-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"15278","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.0-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"15120","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.1.0-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"15042","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.0.0-WS-WAS-IFPK52059","DNDate":"1/9/2008","DNLang":"US English","DNSize":"14956","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Servlet Engine\/Web Container","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.3;6.1.0.2;6.1.0.15;6.1.0.13;6.1.0.11;6.1.0.1;6.1;6.0.2.9;6.0.2.7;6.0.2.5;6.0.2.3;6.0.2.25;6.0.2.23;6.0.2.21;6.0.2.19;6.0.2.17;6.0.2.15;6.0.2.13;6.0.2.11;6.0.2.1;6.0.2;6.0.1.2;6.0.1.1;6.0.1;6.0.0.3;6.0.0.2;6.0","Edition":"Advanced;Base;Developer;Enterprise;Express;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24018067

Page Feedback