Otkriven je propust u radu IBM WebSphere Application poslužitelja koji lokalnom napadaču omogućuje pokretanje DoS napada.
Paket:
IBM WebSphere Application Server 6.1.x, IBM WebSphere Application Server 7.0.x
Operacijski sustavi:
HP-UX 10.x, HP-UX 11.x, IBM AIX 5.x, IBM AIX 6.x, IBM AIX 7.x, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6, Sun Solaris 10, SUSE Linux Enterprise Server (SLES) 10, SUSE Linux Enterprise Server (SLES) 11
Problem:
pogreška u programskoj komponenti
Iskorištavanje:
lokalno
Posljedica:
uskraćivanje usluga (DoS)
Rješenje:
programska zakrpa proizvođača
Izvorni ID preporuke:
PM43711
Izvor:
IBM
Problem:
Sigurnosni problem vezan je uz korištenje EJBDeploy naredbe.
Posljedica:
Lokalni napadač uočenu ranjivost može iskoristiti za ostvarivanje napada uskraćivanja usluga.
Rješenje:
Svim korisnicima preporučuje se primjena nadogradnje koja je detaljno opisana u izvornoj preporuci.
Fix (APAR): PM43711
Status: Fix
Release: 7.0.0.17
Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows
Supersedes Fixes:
CMVC Defect: xxxxxx
Byte size of APAR: 1094985
Date: 2011-08-30
Abstract: EJBDeploy fails to generate the deployment code if the application contains common-logging code and makes use of custom mappings.
Description/symptom of problem:
PM43711 resolves the following problem:
ERROR DESCRIPTION:
EJBDeploy may fail with the following error:
Caused by: rg.apache.commons.logging.LogConfigurationException:
Class org.apache.commons.logging.impl.Jdk
14Logger does not implement Log
at
org.apache.commons.logging.impl.LogFactoryImpl.getLogConstructor
(LogFactoryImpl.java:416)
at
org.apache.commons.logging.impl.LogFactoryImpl.newInstance(LogFa
ctoryImpl.java:525)
... 76 more
Caused by: org.apache.commons.logging.LogConfigurationException:
Class org.apache.commons.logging.impl.Jdk14Logger does not
implement Log
at
org.apache.commons.logging.impl.LogFactoryImpl.getLogConstructor
(LogFactoryImpl.java:412)
... 77 more
LOCAL FIX:
PROBLEM SUMMARY
USERS AFFECTED:
All users of the IBM WebSphere Application
Server EJBDeploy tool.
PROBLEM DESCRIPTION:
EJBDeploy fails to generate the
deployment code if the application
contains common-logging code and makes
use of custom mappings.
RECOMMENDATION:
None
The problem was caused by limitation places on classloader by
commons logging described in
http://wiki.apache.org/commons/Logging/FrequentlyAskedQuestions
In the EJBDeploy scenario multiple classloaders are loading the
LogFactory:
[LogFactory from java.net.URLClassLoader@1905488275] [ENV] Class
org.apache.commons.logging.LogFactory was loaded via classloader
java.net.URLClassLoader@1905488275
[LogFactory from java.net.URLClassLoader@1905488275] [ENV]
Ancestry of classloader which loaded
org.apache.commons.logging.LogFactory is
java.net.URLClassLoader@1905488275 ==
'java.net.URLClassLoader@71937193'
[LogFactory from java.net.URLClassLoader@1905488275] [ENV]
Ancestry of classloader which loaded
org.apache.commons.logging.LogFactory is ClassLoader
tree:java.net.URLClassLoader@1905488275 --?
org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader@1446729
--?
org.eclipse.osgi.baseadaptor.BaseAdaptor$ParentClassLoader@16565
--? BOOT
PROBLEM CONCLUSION:
The limitation can be worked around by restoring the context cla
ssloader of the EJBDeploy thread after all the EJBDeploy code ge
neration but before RMIC is called upon the generated code. That
way the commons-logging library and custom converter can be used
.
The fix for this APAR is currently targeted for inclusion in fix
pack 7.0.0.21. Please refer to the Recommended Updates page for
delivery information:
http://www.ibm.com/support/docview.wss?rs=180?uid=swg27004980
Directions to apply fix:
NOTE: Mark with an X the:
1) Release the fix applies to
2) The Editions that apply
3) And then DELETE THIS NOTE
Fix applies to Editions:
Release 7.0
__ Application Server (Express or BASE)
__ Network Deployment (ND)
__ Edge Components
__ Developer
Install Fix to all WebSphere installations unless special instructions are included below.
Special Instructions: None
NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V7.0.0.0 or newer of the Update Installer. Certain iFixes may require a newer version of the Update Installer and the Update Installer will inform you during the installation process if a newer version is required. This can be checked by reviewing the level of the Update Installer in file <was_root>/updateinstaller/version.txt.
The Update Installer can be downloaded from the following link:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991
1) If your iFix is delivered as a single file with a .pak extension, Copy the .pak file directly to the maintenance directory. If your iFix is delivered as a single file with a .zip extension, unzip the file into the maintenance directory.
2) Shutdown WebSphere Application Server.
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to.
3) For IBM i users, use the update command to install and uninstall the interim fix. The IBM Information Center can provide additional details, if needed, on the use of this command.
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-iseries&topic=rins_update.
For non-IBM i users, launch the Update Installer and click the Next button on the Welcome page.
4) Enter the directory path of the installation location of the WebSphere product you want to update, and click the Next button.
5) Select the "Install maintenance package" operation and click the Next button.
6) Enter the directory path of your maintenance directory where you have the maintenance packages (.pak files) and click the Next button.
7) The Available Maintenance Package to Install page should list all maintenance packages (.pak files) that it finds in the directory path provided in the previous step. The Update Installer will select the correct maintenance packages based on your system configuration and will not allow an invalid combination to be installed. Please keep the Update Installer recommendations and click the Next button and continue with the installation of the maintenance package. To determine why some maintenance packages have been identified as not applicable, see description in log found in <UPDI_root>/logs/tmp*/updatelogs.txt
8) For all platforms except Windows. In pre-install summary panel, use the "verify permission" feature to verify the user has permissions to apply updates to files associated with the selected maintenance. Correct any file permissions before clicking next to start the install.
9) Restart WebSphere Application Server.
Directions to remove fix:
NOTE:
* The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments.
* FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED
* DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED
* YOU MAY REAPPLY ANY REMOVED FIX
Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied.
1) Shutdown WebSphere Application Server.
Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against.
2) Start Update Installer
3) Enter the installation location of the WebSphere product you want to remove the fix.
4) Select "Uninstall maintenance package" operation.
5) Enter the file name of the maintenance package to uninstall (PKxxxxx.pak).
6) UnInstall maintenance package.
7) Restart WebSphere
Directions to re-apply fix:
1) Shutdown WebSphere Application Server.
2) Follow the Fix instructions to apply the fix.
3) Restart WebSphere Application Server.
Posljednje sigurnosne preporuke