=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN278
_____________________________________________________________________

DATE                      : 01/04/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : z/OS running IBM WebSphere Application Server.

======================================================================
http://www-01.ibm.com/support/docview.wss?uid=swg21473989&myns=swgws&mynp=OCSS7K4U&mync=E
______________________________________________________________________

Potential security exposure with IBM WebSphere Application Server on z/OS
running with Local Operating System user registry (PM35480, PM35478, PM35545,
PM35611, PM35609)

Flash (Alert)

Abstract

Unauthorized users might be granted unintended access to WebSphere
applications.

Content

     * Versions affected
     * Problem description
     * Solution
     * Temporary patch option
     * Instructions for installing ++APARs
     * Change history
     * Additional documentation

Versions affected

This only fails on the WebSphere Application Server for z/OS products.

     * WebSphere Application Server for z/OS Versions 6.0 through 6.0.2.43, 6.1
       through 6.1.0.35, and 7.0 through 7.0.0.15.

       This does not occur on any releases of WebSphere Application Server for
       z/OS Versions prior to 6.0, or after 6.0.2.43, 6.1.0.35 and 7.0.0.15.

     * WebSphere Application Server OEM for z/OS (FMID HBBN610) Versions
       6.1.0.25 through 6.1.0.32, and WebSphere Application Server OEM for z/OS
       (FMID HBBN700) Versions 7.0.0.7 through 7.0.0.13.

       This does not occur on any releases of WebSphere Application Server OEM
       for z/OS Versions prior to 6.1.0.25 and 7.0.0.7, or after 6.0.2.43 and
       7.0.0.13.

Problem description

Unauthorized users might be granted unintended access to WebSphere
applications when running WebSphere Application Server for z/OS.

This only occurs when WebSphere is configured with a Local OS user registry
or a Federated Repository configured with RACF (Resource Access Control
Facility) adapter. Both the Local OS user registry and the Federated
Repository configuration with RACF adapter use SAF (System Authorization
Facility) implementation which means both RACF usage and equivalent product
usage are affected.

Solution

If you meet the preceding criteria, it is highly recommended that you take
action, as appropriate below:

     * ++APAR: You can apply the appropriate prebuilt ++APAR below or open a
       PMR (Problem Management Record) with IBM WebSphere Application Server for
       z/OS support to request a custom-built ++APAR.

     * PTF: You can apply the appropriate PTF containing that APAR, when
       available.

     * Temporary patch option: You can temporarily patch the version of the
       WebSphere Application Server that you have installed until you can
       upgrade to the PTF that contains the APAR or until you get a custom-built
       ++APAR.


These prebuilt ++APARs also include the update to the Java JRE/JDK for
CVE-2010-4476. Refer to the Flash on CVE-2010-4476 for more details.

Important note from IBM Support: IBM strongly suggests that all System z
customers be subscribed to the System z Security Portal to receive the latest
critical System z security and integrity service. If you are not subscribed,
see the instructions at the System z Security Portal. Important security and
integrity APARs and associated fixes will be posted to this portal. IBM
suggests that any security or integrity fix be applied as soon as possible to
minimize any potential risk.

For IBM WebSphere Application Server for z/OS:

For V7.0 through 7.0.0.15:

     * Move up in maintenance to one of the service levels listed below, and
       then,
           o For V7.0.0.15, download and apply ++ APAR AM35480
           o For V7.0.0.13, download and apply ++ APAR BM35480
       --OR--
     * Apply APAR PM35480 via PTFs for 7.0.0.17 or later, when available
       (projected to be available May 2011).


For V6.1 through 6.1.0.35:

     * Move up in maintenance to one of the service levels listed below, and
       then,
           o For V6.1.0.35, download and apply ++ APAR AM35478
           o For V6.1.0.33, download and apply ++ APAR BM35478
           o For V6.1.0.32, download and apply ++ APAR CM35478
       --OR--
     * Apply APAR PM35478 via PTFs for 6.1.0.37 or later, when available
      (projected to be available April 2011).


For V6.0 through 6.0.2.43:

     * Move up in maintenance to service level 6.0.2.43, if not already at this
       level, and then,
     * Download and apply ++ APAR AM35545


For IBM WebSphere Application Server OEM for z/OS:

For V7.0.0.7 through 7.0.0.13:

     * Move up in maintenance to service level 7.0.0.13, if not already at this
       level, and then,
     * Download and apply ++ APAR AM35611
       --OR--
     * Apply APAR PM35611 via PTFs for 7.0.0.15, or later, when available
       (projected to be available April 2011).


For V6.1.0.25 through 6.1.0.32:

     * Move up in maintenance to service level 6.1.0.32, if not already at this
       level, and then,
     * Download and apply ++ APAR AM35609


To install a ++ APAR, follow the Instructions for installing ++APARs.

Note: Customers that require a fix at a different WebSphere service level not
mentioned above, or those who are running with a service level mentioned above
but also have an existing ++APAR, will need to open a PMR to work with IBM
Technical Support personnel to determine the best method for providing a fix
for their system. Be prepared to provide to IBM your current service level,
and any existing ++APARs that are already received/applied to your system.

Temporary patch option

If you cannot use one of the prebuilt ++APARs above, and you cannot wait for a
++APAR to be built at your level, you can temporarily patch the version of the
WebSphere Application Server that you have installed until you can upgrade to
the PTF that contains the APAR or until you get a custom-built ++APAR.

The patch utility can be run against a JAR that contains the affected class,
it will rename the JAR with a "-backup" suffix, and create a new JAR with a
patch applied. (The rename preserves the symlink target if run against the
config file system.) The patch is applied using byte code generation against a
method that has not changed since WebSphere Application Server Version 6.0.2.
This allows the same utility to be used on all previously unpatched levels of
code.

Important note about the temporary patch utility: This patch utility is a
temporary mechanism for addressing this critical security vulnerability by
patching the affected JAR file. Refer to the readme instructions with the JAR
for further instructions. IBM recommends that you install the appropriate
++APAR or PTF that includes this fix, as time permits. Prior to putting on new
maintenance, the undo instructions for the patch utility will need to be
performed to avoid running with downlevel code.

To use this utility, download the patch utility PM35478-zap.jar and follow the
instructions in the PM35478PatchReadme file.

Instructions for installing ++APARs

    1. FTP the file to your system in BINARY, into a FIXED RECORD LENGTH 1024
       data set.

    2. Force these DCB attributes using the following TSO FTP client command
       right before the GET command:

       LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0

       If the ++APAR is quite large, then you can also pass along data set
       allocation information on the LOCSITE command. The example below gives
       the ++APAR file 300 cylinders in its primary and secondary extents.

       These numbers are just examples:

       LOCSITE LRECL=1024 RECFM=FB BLKSIZE=0 PRI=300 SEC=300 CYL

    3. UNTERSE the file.

    4. SMP/E RECEIVE and APPLY the ++APAR.

    5. You must SMP/E RESTORE OFF the ++APAR before installing further WebSphere
       maintenance.

Change history

31 Mar 2011:

     * Added "Both the Local OS user registry and the Federated Repository
       configuration with RACF adapter use SAF (System Authorization Facility)
       implementation which means both RACF usage and equivalent product usage
       are affected." to the end of the Problem description for additional
       clarity.
     * Updated the Temporary patch option description from "This patch utility
       will search an install tree for all the JAR files that contain the
       affected class. For each of the JARs it finds, it will rename the JAR
       with a "-backup" suffix, and create a new JAR with a patch applied." to
       "The patch utility can be run against a JAR that contains the affected
       class, it will rename the JAR with a "-backup" suffix, and create a new
       JAR with a patch applied. "
     * Added "Prior to putting on new maintenance, the undo instructions for the
       patch utility will need to be performed to avoid running with downlevel
       code." to the end of the Important note about the temporary patch utility
       for additional clarity.

30 Mar 2011:

     * Original publish date.

Additional documentation

For additional details and information on WebSphere Application Server product
updates, see APAR/PTF Tables by version for IBM WebSphere Application Server
for z/OS.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================