=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) =============================================================================== This maintenance archive includes last GA release of SEAS 2.4.0 plus fixes for the issues mentioned below. =============================================================================== Fixes for SEAS 2.4.0.4 (2.4.00 Patch 4) iFix 1, Build 95 (May 2013) Full descriptions below. =============================================================================== DEFECT / APAR RTC367011/IC90788 - Turn off OS command execution option RTC368161/IC90709 - Error message information leak ================================================================= Fixes for SEAS 2.4.04 Patch 4, Build 94 (December 2012) ================================================================= RTC336420/IC85514 - Fast wakeup condition detected RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC349165/IC86628 - CRL checking fails after JRE upgrade =============================================================================== Fixes for SEAS 2.4.0 Patch 3, Build 93 (August 2012) Full descriptions below. =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== Fixes for SEAS 2.4.0 Patch 2, Build 92 (December 2011) Full descriptions below. =============================================================================== QC20062 - Password Change parameters not saved =============================================================================== Fixes for SEAS 2.4.0 Patch 1, Build 91 (October 2011) =============================================================================== QC19229 - Sockets not timing out properly during CRL processing. QC19518 - Webstart fails to start with missing Jar file exception =============================================================================== Detailed Descriptions of Fixes for SEAS =============================================================================== QC19229 - Sockets not timing out properly during CRL processing. An uncaptured exception was causing sockets not to time out properly during CRL processing Resolution: Added code to catch the exception and log it in the trace. QC19518 - Webstart fails to start with missing Jar file exception Launching SEAS GUI thru webstart gives error: com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://servername:9080/lib/thirdparty/help-share.jar Resolution: Corrected the list of jar files in the EA_GUI.jnlp file to match what is being shipped. 5 defunct filenames were replaced with 3 updated ones. QC20062 - Password Change parameters not saved Password Change parameters were not being saved during a GUI session. Resolution: Corrected code that was turning off the checkbox during Change Password processing. RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000 RTC368161/IC90709 - Error message information leak During error conditions, IBM Sterling External Authentication Server may allow a malicious internal user to obtain product information which could be used to design further attacks. Resolution: Updated SEAS to validate any path added to the URL against a "white list" of allowed paths, and return a "404 Not Found - An invalid input was submitted to the server" instead of echoing the path. RTC367011/IC90788 - Turn off OS command execution option SEAS allows the administrator to configure an OS command to be run as part of the authentication process. A malicious internal user who has access to the application and who has administration privileges could configure the system to issue arbitrary Operating System commands, which could affect the confidentiality, integrity and availability of the system. Support has no record of any Customer using this feature. Resolution: Removed the option to configure an OS command to be run as part of the authentication process.