=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) =============================================================================== This cumulative maintenance archive includes GA release of SEAS 2.4.1.0 plus fixes for the issues listed below. Contents: I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) II. Detailed Description of Fixes =============================================================================== I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.1.2 IFix 4, Build 64 (June 2013) =============================================================================== DEFECT / APAR RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. =============================================================================== Fixes for SEAS 2.4.1.2 IFix 3, Build 63 (May 2013) =============================================================================== DEFECT / APAR RTC373046/IC91512 - (GUI) - Error condition needed when client times out before shutdown =============================================================================== Fixes for SEAS 2.4.1.2 IFix 2, Build 62 (May 2013) =============================================================================== DEFECT / APAR RTC367011/IC90788 - Turn off OS command execution option =============================================================================== Fixes for SEAS 2.4.1.2 IFix 1, Build 61 (March 2013) =============================================================================== DEFECT / APAR RTC368161/IC90709 - Error message information leak RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT =============================================================================== Fixes for SEAS 2.4.1.0 Patch 2, Build 59 (October 2012) =============================================================================== DEFECT / APAR RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC336420/IC85514 - Fast wakeup condition detected =============================================================================== Fixes for SEAS 2.4.1.0 Patch 1, Build 54 (August 2012) =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== II. Detailed Description of Fixes (in Defect ascending order) =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000 RTC336420/IC85514 - Fast wakeup condition detected Intermittent problem when SEAS attempts to accept a new connection. At that point, SEAS becomes unresponsive and logs fill with the following messages: WARN com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Fast wakeup condition detected. ERROR com.sterlingcommerce.component.accepter.csap.impl.AccepterImpl - Could not handle fast wakeup condition - java.lang.Error Resolution: Upgraded Java Runtime Environment (JRE) to SR11 maintenance level which includes a fix for the socket accept problem. Also added code to correct the loop condition and give a better reason for why it is happening. RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password Misconfigured User DN field in the LDAP Authentication tab of the Secure External Authentication Server allows invalid users and passwords to be authenticated. The Customer supplied an invalid User DN value in the LDAP Authentication tab: "uid=${name},realm=…". But instead of all incoming sessions being rejected, all sessions were authenticated. The following messages in the log showed that there was a syntax error, but the resulting authentication said "true". INFO com.sterlingcommerce.component.authentication.impl.AuthenticationServiceImpl - AUTH064E Exception encountered while evaluating Bind Principal formula: java.lang.IllegalArgumentException: Variable substitution failed for: name. Element not found: name. INFO com.sterlingcommerce.component.dispatcher.XmlConversionFilter - Sending -> AuthenticationResponse(AUTH064E): Correlator - null: detailResponseCode - AUTH100D, type - Auth, authenticated - true Resolution: Corrected the SEAS LDAP Authenticator to correctly set the failed authentication flag when there is a syntax error detected in the configuration. RTC348461/IC86820 - Use 64-bit JRE on Solaris SEAS on Solaris points to the 32-bit JRE, even though the 64-bit JRE is shipped. All the scripts to run the product and utilities point to the ./jre/bin/java executable, which is the 32-bit version of the JRE. The 64-bit version of the jre is at ./jre/bin/sparcv9/java. Workaround: Manually update the SEAS/bin/startSeas.sh script to point to the new java location. However, the script gets rebuilt during any maintenance upgrade. Resolution: Updated the InstallAnywhere logic for the Solaris platform to properly build the scripts to point to the 64-bit version of the JRE at ./jre/bin/sparcv9/java. RTC348784/IC86821 - Upgrade bundled JRE to IBM SR11 (August 2012) level The Customer required that products with the IBM JRE 1.6 be at the SR10 FP1 (Feb 2012) maintenance level or greater. Resolution: Updated the IBM JRE which ships with SSP 3.4.1 to be at the SR11 (August 2012) maintenance level. RTC349165/IC86628 - CRL checking fails after upgrade to SEAS 2.4.1 Getting CERT005E Failed to complete required CRL check when running SEAS 2.4.0 or 2.4.1.0. The SEAS log shows the following events: ERROR CertValidator - CRL Problem 2: Exception processing CRL: MY_CRL: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef (name=MY_CRL): ldaps://10.20.30.40:636/CN=CRL512, O=My Server, C=US?certificateRevocationList?Base ERROR CertValidator - CRL check could not be completed for certificate: CN=etc… ERROR CertValidator - CERT005E Failed to complete required CRL check. Problem 1 of 2: Exception processing crlDistributionPoint: java.lang.IllegalArgumentException: CRL not found for LdapQueryDef(name=null): Found that we were using a null value to initialize a Java NameClassPair, which is no longer allowed in the JRE that ships with the 2.4.x versions of SEAS. It returned a java.lang.IllegalArgumentException and caused the subsequent CRL processing to unwind. Resolution: Corrected the SEAS CRL logic to ensure a non-null value when initializing the NameClassPair. Also added additional diagnostic lines to make some of the hidden parts of the logic easier to follow in debug mode. RTC355410/IC89579 - Connections are not getting closed and going to CLOSE_WAIT Connections to SEAS are not getting closed and are going to CLOSE_WAIT or FIN_WAIT2 status after the SEAS custom exit is getting called. The adapter connections are also not getting released. Resolution: Updated the SEAS exit to use a different socket factory which automatically times out and releases the sockets correctly. RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. The SEAS Webstart GUI application gets security warning when it is launched. The jar files which are downloaded when the SEAS Webstart is launched are signed with a self-signed certificate, causing it to get the message at startup: The application's digital signature cannot be verified. Do you want to run the application? Resolution: Now sign all the SEAS jar files with an IBM certificate which is signed by Verisign. Once the Webstart GUI is launched once and the certificate is okayed by the user, the warning does not come up again. RTC368161/IC90709 - Error message information leak During error conditions, IBM Sterling External Authentication Server may allow a malicious internal user to obtain product information which could be used to design further attacks. Resolution: Updated SEAS to validate any path added to the URL against a "white list" of allowed paths, and return a "404 Not Found - An invalid input was submitted to the server" instead of echoing the path. RTC367011/IC90788 - Turn off OS command execution option SEAS allows the administrator to configure an OS command to be run as part of the authentication process. A malicious internal user who has access to the application and who has administration privileges could configure the system to issue arbitrary Operating System commands, which could affect the confidentiality, integrity and availability of the system. Support has no record of any Customer using this feature. Resolution: Removed the option to configure an OS command to be run as part of the authentication process. RTC373046/IC91512 - (GUI) - Error condition needed when client times out before shutdown When the SEAS admin is logged onto the GUI and attempts to shutdown the SEAS when the GUI interface has already timed out, the shutdown process appears successful but does not happen. No messages are returned and the GUI terminates like normal during a normal shutdown. Resolution: Now notify the GUI user that the shutdown was unsuccessful because the user timed out.