=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) =============================================================================== This maintenance archive includes last GA release of SEAS 2.4.1.0 plus fixes for the issues mentioned below. =============================================================================== Fixes for SEAS 2.4.1.2 IFix 2, Build 62 (May 2013) Full descriptions below. =============================================================================== DEFECT / APAR RTC367011/IC90788 - Turn off OS command execution option =============================================================================== Fixes for SEAS 2.4.1.2 IFix 1, Build 61 (March 2013) Full descriptions below. =============================================================================== DEFECT / APAR RTC368161/IC90709 - Error message information leak RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT =============================================================================== Fixes for SEAS 2.4.1.0 Patch 2, Build 59 (October 2012) Full descriptions below. =============================================================================== DEFECT / APAR RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC336420/IC85514 - Fast wakeup condition detected =============================================================================== Fixes for SEAS 2.4.1.0 Patch 1, Build 54 (August 2012) Full descriptions below. =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== Detailed Descriptions of Fixes for SEAS =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000 RTC336420/IC85514 - Fast wakeup condition detected Intermittent problem when SEAS attempts to accept a new connection. At that point, SEAS becomes unresponsive and logs fill with the following messages: WARN com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Fast wakeup condition detected. ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Could not handle fast wakeup condition - java.lang.Error Resolution: Upgraded Java Runtime Environment (JRE) to SR11 maintenance level which includes a fix for the socket accept problem. Also added code to correct the loop condition and give a better reason for why it is happening. RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password Misconfigured User DN field in the LDAP Authentication tab of the Secure External Authentication Server allows invalid users and passwords to be authenticated. The Customer supplied an invalid User DN value in the LDAP Authentication tab: "uid=${name},realm=…". But instead of all incoming sessions being rejected, all sessions were authenticated. The following messages in the log showed that there was a syntax error, but the resulting authentication said "true". INFO com.sterlingcommerce.component.authentication.impl.AuthenticationServiceImpl - AUTH064E Exception encountered while evaluating Bind Principal formula: java.lang.IllegalArgumentException: Variable substitution failed for: name. Element not found: name. INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter - Sending -> AuthenticationResponse(AUTH064E): Correlator - null: detailResponseCode - AUTH100D, type - Auth, authenticated - true Resolution: Corrected the SEAS LDAP Authenticator to correctly set the failed authentication flag when there is a syntax error detected in the configuration. RTC348461/IC86820 - Use 64-bit JRE on Solaris SEAS on Solaris points to the 32-bit JRE, even though the 64-bit JRE is shipped. All the scripts to run the product and utilities point to the ./jre/bin/java executable, which is the 32-bit version of the JRE. The 64-bit version of the jre is at ./jre/bin/sparcv9/java. Workaround: Manually update the SEAS/bin/startSeas.sh script to point to the new java location. However, the script gets rebuilt during any maintenance upgrade. Resolution: Updated the InstallAnywhere logic for the Solaris platform to properly build the scripts to point to the 64-bit version of the JRE at ./jre/bin/sparcv9/java. RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level The Customer required that products with the IBM JRE 1.6 be at the SR10 FP1 (Feb 2012) maintenance level or greater. Resolution: Updated the IBM JRE which ships with SSP 3.4.1 to be at the SR11 (August 2012) maintenance level. RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 Getting CERT005E Failed to complete required CRL check when running SEAS 2.4.0 or 2.4.1.0. The SEAS log shows the following events: ERROR CertValidator - CRL Problem 2: Exception processing CRL: MY_CRL: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef (name=MY_CRL): ldaps://10.20.30.40:636/CN=CRL512, O=My Server, C=US?certificateRevocationList?Base ERROR CertValidator - CRL check could not be completed for certificate: CN=etc… ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 2: Exception processing crlDistributionPoint: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef(name=null): Found that we were using a null value to initialize a Java NameClassPair, which is no longer allowed in the JRE that ships with the 2.4.x versions of SEAS. It returned a java.lang.IllegalArgumentException and caused the subsequent CRL processing to unwind. Resolution: Corrected the SEAS CRL logic to ensure a non-null value when initializing the NameClassPair. Also added additional diagnostic lines to make some of the hidden parts of the logic easier to follow in debug mode. IC89579/RTC355410 - Connections are not getting closed and going to CLOSE_WAIT Connections to SEAS are not getting closed and are going to CLOSE_WAIT or FIN_WAIT2 status after the SEAS custom exit is getting called. The adapter connections are also not getting released. Resolution: Updated the SEAS exit to use a different socket factory which automatically times out and releases the sockets correctly. RTC368161/IC90709 - Error message information leak During error conditions, IBM Sterling External Authentication Server may allow a malicious internal user to obtain product information which could be used to design further attacks. Resolution: Updated SEAS to validate any path added to the URL against a "white list" of allowed paths, and return a "404 Not Found - An invalid input was submitted to the server" instead of echoing the path. RTC367011/IC90788 - Turn off OS command execution option SEAS allows the administrator to configure an OS command to be run as part of the authentication process. A malicious internal user who has access to the application and who has administration privileges could configure the system to issue arbitrary Operating System commands, which could affect the confidentiality, integrity and availability of the system. Support has no record of any Customer using this feature. Resolution: Removed the option to configure an OS command to be run as part of the authentication process.