[closed] Security Vulnerablility NOT resolved by CLM 4.0.6??
I was emailed about a Security Bulletin today:
http://www-01.ibm.com/support/docview.wss?uid=swg21664566
If you follow the various links in the Remediation/Fixes section you eventually get to this page:
How to block the Install URL from being accessed with CLM
I tested our 4.0.5 server using the Verification Testing section of this second page and confirmed that we weren't getting the 403 error.
I decided I'd best kick off the upgrade to 4.0.6 process a.s.a.p.
I upgraded our test server from 4.0.5 to 4.0.6 and noticed that when I performed the Verification Testing again on the upgraded 4.0.6 server I still wasn't getting the 403 error as expected.
Does this mean that in fact the vulnerability exists in 4.0.6 as well?
Can anyone else with a 4.0.6 confirm that this is the case for them?
I performed the steps in the second page for updating the web.xml files on the upgraded 4.0.6 server and I now get the expected 403 error. I'm just not sure whether that's necessary. Perhaps the web.xml files update is a quick fix and the real fix is already protecting the server?
Many Thanks,
Robin
The question has been closed for the following reason: "Current product version is no longer supported." by krzysztofkazmierczyk Jan 03 '20, 4:00 a.m.
Accepted answer
So the modification in the web.xml is not required in 4.0.6 as far as I understand it.
Comments
Ralph is right.
ok - thanks guys. I guess I got my wires crossed a bit. Given that the test was to go to the url
https://<server>:<port>/<application>/install
and get a blank page if you were vulnerable and a 403 if you were not, I was expecting something other than a blank page with the 4.0.6 version ...
Robin,
To ensure the above steps were successful, navigate to the following URL for each application. You should receive a 403 HTTP error. This will either indicate a "Forbidden" error, or "Access is precluded by configuration."
https://<server>:<port>/<application>/install
Yes, in 4.0.6 you will see a blank page if you browse to https://<server>:<port>/<application>/install .
2 votes
The tech note about blocking URLs has been updated to give some more information about the exact vulnerability and the behavior in 4.0.6:.
The steps outlined in this technote work by completely blocking all access to the vulnerable URL. The actual vulnerability is only exploitable through a POST request, and so the 4.0.6 code fix is more granular and works by causing the system to respond with a 403 response only on a POST to the vulnerable URL. If you issue a GET request to a 4.0.6 system you will receive a blank page in response. If you issue a POST request to a 4.0.6 system you will see the 403 response. There are various tools and browser plug-ins available that can issue a POST request if you wish to verify your 4.0.6 system is secured.
2 votes