=============================================================================== Maintenance for Sterling External Authentication Server (SEAS) =============================================================================== This cumulative maintenance archive includes GA release of SEAS 2.4.00 plus fixes for the issues listed below. Contents: I. Summary of Fixes by Patch/APAR (Latest iFix / FixPack first) II. Detailed Description of Fixes =============================================================================== I. Summary of Fixes by iFix / FixPack /APAR (Latest iFix / FixPack first) =============================================================================== =============================================================================== Fixes for SEAS 2.4.0.4 (2.4.00 Patch 4) iFix 3, Build 100 (August 2013) =============================================================================== DEFECT / APAR No defect - Build and ship with IBM Java: JRE6 SR14. =============================================================================== Fixes for SEAS 2.4.0.4 (2.4.00 Patch 4) iFix 2, Build 96 (June 2013) =============================================================================== DEFECT / APAR RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. =============================================================================== Fixes for SEAS 2.4.0.4 (2.4.00 Patch 4) iFix 1, Build 95 (May 2013) Full descriptions below. =============================================================================== DEFECT / APAR RTC367011/IC90788 - Turn off OS command execution option RTC368161/IC90709 - Error message information leak ================================================================= Fixes for SEAS 2.4.04 Patch 4, Build 94 (December 2012) ================================================================= RTC336420/IC85514 - Fast wakeup condition detected RTC346206/IC86440 - Syntax error in configuration allows users to be authenticated with invalid password RTC348461/IC86820 - Use 64-bit JRE on Solaris RTC349165/IC86628 - CRL checking fails after JRE upgrade =============================================================================== Fixes for SEAS 2.4.0 Patch 3, Build 93 (August 2012) Full descriptions below. =============================================================================== RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. =============================================================================== Fixes for SEAS 2.4.0 Patch 2, Build 92 (December 2011) Full descriptions below. =============================================================================== QC20062 - Password Change parameters not saved =============================================================================== Fixes for SEAS 2.4.0 Patch 1, Build 91 (October 2011) =============================================================================== QC19229 - Sockets not timing out properly during CRL processing. QC19518 - Webstart fails to start with missing Jar file exception =============================================================================== II. Detailed Description of Fixes (in Defect ascending order) =============================================================================== QC19229 - Sockets not timing out properly during CRL processing. An uncaptured exception was causing sockets not to time out properly during CRL processing Resolution: Added code to catch the exception and log it in the trace. QC19518 - Webstart fails to start with missing Jar file exception Launching SEAS GUI thru webstart gives error: com.sun.deploy.net.FailedDownloadException: Unable to load resource: http://servername:9080/lib/thirdparty/help-share.jar Resolution: Corrected the list of jar files in the EA_GUI.jnlp file to match what is being shipped. 5 defunct filenames were replaced with 3 updated ones. QC20062 - Password Change parameters not saved Password Change parameters were not being saved during a GUI session. Resolution: Corrected code that was turning off the checkbox during Change Password processing. RTC330660 - Jetty PSIRT Advisory 258 - Fix for DOS Hashmap attack. IBM internal research detected that Jetty was vulnerable to a type of denial of service (DOS) attack when the number of HTTP header parameters was high (in the tens of thousands). Resolution: Implemented fix from Jetty Eclipse which enforces a maximum number of keys in the HTTP header of 1000. The default can be adjusted by adding the Java system property to the startEngine.sh or startCM.sh startup scripts: -Dorg.eclipse.jetty.server.Request.maxFormKeys=2000 RTC366168/IC93055 - SEAS Java Webstart application gets security warning when launched. The SEAS Webstart GUI application gets security warning when it is launched. The jar files which are downloaded when the SEAS Webstart is launched are signed with a self-signed certificate, causing it to get the message at startup: The application's digital signature cannot be verified. Do you want to run the application? Resolution: Now sign all the SEAS jar files with an IBM certificate which is signed by Verisign. Once the Webstart GUI is launched once and the certificate is okayed by the user, the warning does not come up again. RTC368161/IC90709 - Error message information leak During error conditions, IBM Sterling External Authentication Server may allow a malicious internal user to obtain product information which could be used to design further attacks. Resolution: Updated SEAS to validate any path added to the URL against a "white list" of allowed paths, and return a "404 Not Found - An invalid input was submitted to the server" instead of echoing the path. RTC367011/IC90788 - Turn off OS command execution option SEAS allows the administrator to configure an OS command to be run as part of the authentication process. A malicious internal user who has access to the application and who has administration privileges could configure the system to issue arbitrary Operating System commands, which could affect the confidentiality, integrity and availability of the system. Support has no record of any Customer using this feature. Resolution: Removed the option to configure an OS command to be run as part of the authentication process.