=====================================================================
                         CERT-Renater
             Note d'Information No. 2012/VULN038
_____________________________________________________________________
DATE                : 17/01/2012
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S) : IBM i running  WebSphere Application Server 
versions 6, 7, 8 .
======================================================================
http://www-01.ibm.com/support/docview.wss?uid=swg21569205
______________________________________________________________________
Possible security exposure for WebSphere Application Server on IBM i
(PM49712)
(CVE-2011-1376)
Flash (Alert)
Abstract
Native file permissions for WebSphere Application Server are incorrect
on IBM i operating systems.
Content
CVE ID: CVE-2011-1376
Versions affected:
This only occurs on the following:
IBM® WebSphere® Application Server for IBM i operating systems for
Versions 6.1 through 6.1.0.41, 7.0 through 7.0.0.19, and 8.0 through
8.0.0.1.
This does not occur on:
     IBM WebSphere Application Server Versions prior to Version 6.1.
     IBM WebSphere Application Server for distributed operating systems, IBM
WebSphere Application Server for z/OS operating systems, or IBM WebSphereApplication Server Hypervisors.
Problem Description:
Native file permissions for WebSphere Application Server are incorrect
on IBM i operating systems.
CVSS:
     CVSS Base Score: 4.4
     CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/71230 forthe current score.
     CVSS Environmental Score*: Undefined
     CVSS String: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
Solutions:
Applying the appropriate Interim Fix APAR PM49712, or a PTF group
containing the APAR (see below), will address this issue.
For IBM WebSphere Application Server for IBM i operating systems:
     For V8.0 through 8.0.0.1:
         Apply Interim Fix APAR PM49712
         --OR--
         Apply the WebSphere Application Server PTF group which includes
Fix Pack 2 (8.0.0.2), or later, (targeted to be available 16 January
2012) according to the PTF group instructions.
     Note: If you use the Web-based ("live") repository provided by IBM,
Installation Manager (IM) will, by default, pick up any recommended
Interim Fixes (iFix) when installing WebSphere Application Sever V8 or
any of its V8 Service Fix Packs. As a result, the iFix may already be
installed. ld bIf you are unsure as to whether or not it is installed,
you can check either using the IM GUI by selecting "File->View Installed Packages"
or using the IM command line "imcl listInstalledPackages -long".
     For V7.0 through 7.0.0.19:
         Apply Interim Fix APAR PM49712
         --OR--
         Apply the WebSphere Application Server PTF group which includes
Fix Pack 21 (7.0.0.21), or later, (targeted to be available 16 January
2012) according to the PTF group instructions.
     For V6.1 through 6.1.0.41:
         Apply Interim Fix APAR PM49712
         --OR--
        Apply the WebSphere Application Server PTF group which includes
Fix Pack 43 (6.1. 0.43), or later, (targeted to be available 19 March
2012) according to the PTF group instructions.
  =========================================================
  Les serveurs de référence du CERT-Renater
  http://www.urec.fr/securite
  http://www.cru.fr/securite
  http://www.renater.fr
  =========================================================
  + CERT-RENATER          | tel : 01-53-94-20-44          +
  + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
  + 75013 Paris           | email: certsvp@renater.fr     +
  =========================================================
--------------ms070407020006070708060004