Re: IBM WebSphere Commerce Suite Allows Local Access of Authentication Data and Local Execution of Arbitrary Code
SecurityTracker Alert ID: 1001076|
SecurityTracker URL: http://securitytracker.com/id/1001076
(Links to External Site)
Date: Mar 12 2001
Disclosure of authentication information, Execution of arbitrary code via local system|
Fix Available: Yes Vendor Confirmed: Yes |
A vulnerability has been reported in IBM's WebSphere Commerce Suite that allows a local user to obtain the administator's username and password and to execute arbitrary commands on the host to gain increased privileges.|
IBM has issued a Special Security Notice for IBM Net.Commerce and IBM WebSphere Commerce Suite Version 4.1 Customers. IBM notes that this vulnerability does not apply the current Version 5.1.
The advisory indicates that a "hacker tool" has been published that could expose some web sites that have not taken preventive actions. Customers of WebSphere Commerce Suite 4.1 or any previous release should have already implemented the fixes recommended by IBM in November 1999 and February 2001 or should implement them immediately. See:
Customers that have custom macros or are using sample code on their production servers are particularly urged to implement the fixes.
The advisory indicates some additional steps that should be followed. See:
A malicious local user can execute arbitrary commands to increase privileges to root.|
Vendor URL: www.ibm.com (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: Re: Passwords in Net.Commerce/WebSphere decryptable, any version|
IBM Global Services
Managed Security Services
Outside Advisory Redistribution
8 MAR 2001 2:11 GMT MSS-OAR-E01-2001:087.1
The MSS Outside Advisory Redistribution is designed to provide customers of
IBM Managed Security Services with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.
IBM makes no representations and assumes no responsibility for the contents
or accuracy of the advisories themselves.
IBM MSS is forwarding the following information from IBM.
Contact information for IBM is included in the forwarded text
below. Please contact them if you have any questions or need further
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Special Security Notice for IBM Net.Commerce and IBM WebSphere Commerce
Suite Version 4.1 Customers. This does not apply to Customers of the
current Version 5.1:
IBM understands that the quality and integrity of e-commerce sites is of
paramount importance. As part of our ongoing monitoring of potential
security issues, we have learned that a "hacker tool" has been published
that could expose some web sites that have not taken preventive actions.
If you have WebSphere Commerce Suite 4.1 or any previous release* and
have not yet implemented the fixes recommended by IBM in November 1999
and February 2001
we strongly encourage you to implement those steps immediately. This is
particularly important for those customers who have custom macros or are
using sample code on their production servers.
In addition to those steps, we recommend that you ensure that you have
properly customized the default merchant key shipped with the product.
To assist you in customizing the key, beginning on March 8th IBM will
make available a special utility. Please see the IBM WebSphere Commerce
Suite support web site at
to obtain a copy. This utility should be used along with our
recommendations from November 1999 and February 2001. Please refer to
"Known Securities Issues Bulletin #2001-2" under the section, "Technical
Notes - Hints & Tips - Security," at that URL. Today we are also
posting at that URL information to assist you in determining if your
site has been compromised.
This is not an issue for WebSphere Commerce Suite Version 5.1.
Thank you for your attention to this important matter. We encourage you
to continue checking the WebSphere Commerce Suite web site for
information and updates.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
IBM's Managed Security Services (MSS) is a subscription-based Internet
security response service that includes computer security incident response
and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM MSS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures
across your Internet connection(s).
As a part of IBM's Business Continuity and Recovery Service IBM's Managed
Security Services is a component of IBM Global Services Privacy and
Security Services suite of offerings. To find out more about IBM Managed
Security Services, send an electronic mail message to
email@example.com, or call 1-800-426-7378.
IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.
IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information. The
IBM MSS PGP* public key is available from
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.
The information in this document is provided as a service to customers of
IBM Managed Security Services. Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or
implied, or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, apparatus, product, or
process contained herein, or represents that its use would not infringe any
privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by IBM or its subsidiaries. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of IBM or its subsidiaries, and may not be used for advertising or
product endorsement purposes.
Go to the Top of This SecurityTracker Archive Page