Fix (APAR):  PM14765

Status:  Fix

Release:  1.0.1.0

Operating System:  AIX,HP-UX,i5/OS,Linux,Solaris,Windows

Supersedes Fixes:  

CMVC Defect:  PM14765

Byte size of APAR:  191614

Date: 2010-08-05

Abstract:  There is a security exposure related to JAX-RS REST services.

Description/symptom of problem:  
PM14765 resolves the following problem:

ERROR DESCRIPTION:                                              
There is a security exposure related to JAX-RS REST services.   
                                                                
The exposure can cause data tampering, denial of service and    
possible exposure of server file contents.                      
                                                                
A malicious client may use DTD (Document Type Definitions)      
to attack a JAX-RS REST service.                                

LOCAL FIX:                                                      

PROBLEM SUMMARY

USERS AFFECTED:
 All users of IBM WebSphere Application
Server  Feature Pack for Web 2.0

PROBLEM DESCRIPTION:
There is a security exposure related
to JAX-RS REST services.

RECOMMENDATION:
 Install a fixpack containing this APAR

There is a security exposure related to JAX-RS REST services.

The exposure can cause data tampering, denial of service and
possible exposure of server file contents.

A malicious client may use DTD (Document Type Definitions) to
attack the JAX-RS REST service.

The exposure exists only on JAX-RS REST resources that require
parsing of XML data.

PROBLEM CONCLUSION:                                             
The JAX-RS runtime is changed to disable the processing of      
DTDs contained within incoming messages.                        
                                                                
The fix for this APAR is currently targeted for inclusion       
in the next release of Web20 Feature Pack following version     
1.0.1.0.  Please refer to the Recommended                       
Updates page for delivery information:                          
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980   


Directions to apply fix:  
NOTE: Choose the:
1) Release the fix applies to
2) The Editions that apply
3) Delete the Editions & Methods that do not apply and this Note

Fix applies to Editions:
Release:
5.0  5.1
___  ___ Application Server (Express or BASE)
___      Enterprise Edition (DD)
___  ___ Network Deployment (ND)
___  ___ Edge Components
___  ___ Developers Edition
___  ___ Tools
     ___ WebSphere Business Integration Server Foundation (WBISF)

Install Fix to:
Method:
__ Application Server Nodes
__ Deployment Manager Nodes
__ Both

NOTE:
The user must:
* Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* Be logged in with the same authority level when unpacking a fix, fix pack or refresh pack.

The Update Installer can be downloaded from the following link:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991

The Update Installer for V5.0 does not have a maintenance directory.
It uses fixpacks and fixes as the location of the unpacked files.

1) Copy PKxxxxx.jar file directly to the maintenance directory

2) Shutdown WebSphere
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to.

3) Launch Update Installer

4) Enter the installation location of the WebSphere product you want to update.

5) Select the "Install maintenance package" operation.

6) Enter the file name of the maintenance package to install (PKxxxxx.jar file which was copied in the maintenance directory).
The V5.0 and V5.1 fix packs and fixes are unpacked as .jar files and should be unpacked into fixpacks or fixes directory.

7) Install the maintenance package.

8) Restart WebSphere

Directions to remove fix:  
NOTE:
* The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED
* DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED
* YOU MAY REAPPLY ANY REMOVED FIX

Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.

1) Shutdown WebSphere Application Server.
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against.

2) Start Update Installer

3) Enter the installation location of the WebSphere product you want to remove the fix.

4) Select  "Uninstall maintenance package" operation.

5) Enter the file name of the maintenance package to uninstall (PKxxxxx.jar).

6) UnInstall maintenance package.

7) Restart WebSphere

Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.



Additional Information: