Security Bulletin: Vulnerability in Rational Directory Server help files system with potential for debug info in error message (CVE-2013-0599)

Summary

A parameter path to the Rational Directory Server help documentation causes an error message response from the server with HTTP ERROR 500 debug information displayed in the browser.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

CVE ID:CVE-2013-0599

**Description:**A parameter path to the Rational Directory Server help documentation causes an error message response from the server with HTTP ERROR 500 debug information displayed in the browser.

CVSS Base Score: 5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83613&gt;

CVSS Environmental Score:* Undefined

CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

Affected Products and Versions

RDA versions 5.2.1 (and earlier) and 5.1.1.2 (and earlier) are affected due to this vulnerability.

Remediation/Fixes

Upgrade to one of the following releases:

• Rational Directory Server (Apache) Interim Fix 2 for 5.1.1.2 or later
• Rational Directory Server (Tivoli) Interim Fix 2 for 5.2.1 or later

Workarounds and Mitigations

WORKAROUND:

Download and extract the rds-help.war file: <http://download.boulder.ibm.com/ibmdl/pub/software/rationalsdp/documentation/war/rds-help.war_1.0.0.I20130508_1017.zip&gt;

RDA with Apache Tomcat Server. 5.2.0.2 (or earlier) and 5.1.1.1 (or earlier):

1. Stop the WebAccessServer.
   Windows:
   <RDS\RDA install location>\WebAccessServer\apache-tomcat-x.0.xx\bin\catalina.bat stop
   UNIX / Linux:
   `<RDS/RDA install location>/WebAccessServer/apache-tomcat-x.0.xx/bin\catalina.sh stop``

2. Navigate to the war file located in the RDS/RDA install location. Windows: <RDS\RDA install location>\WebAccessServer\apache-tomcat-x.0.xx\webapps UNIX / Linux: <RDS/RDA install location>/WebAccessServer/apache-tomcat-x.0.xx/webapps``

`
3. Delete/backup the following:

• _file: _rds-help.war * _directory: _rds-help

• Replace with the rds-help.war download.

• Start the WebAccessServer
  Windows:
  <RDS\RDA install location>\WebAccessServer\Start_RDAWebServer.bat
  UNIX / Linux:
  `<RDS/RDA install location>/WebAccessServer/Start_RDAWebServer.sh ``

`

RDA with WebSphere Application Server. 5.2.1 (or later) and 5.1.1.2 (or later):

1. Stop the WebAppsServer
   Windows:
   <RDS\RDA install location>\WebAppsServer\RDAWebAppServer.bat stop
   UNIX / Linux:
   `<RDS/RDA install location>/WebAppsServer/RDAWebAppServer.sh stop
   ``

2. Navigate to the war file located in the RDS/RDA install location. Windows: <RDS\RDA install location>\WebAppsServer\WLP_8.5.x.0\usr\servers\defaultServer(apps Or dropins)
UNIX / Linux: <RDS/RDA install location>/WLP_8.5.x.0/usr/servers/defaultServer/(apps Or dropins)
``_

_`
3. Delete/backup the following:

• _file: _**rds-help.war

**

• Replace with the rds-help.war download.

• Start the WebAppsServer
  Windows:
  <RDS\RDA install location>\WebAppsServer\RDAWebAppServer.bat start
  UNIX / Linux:
  <RDS/RDA install location>/WebAppsServer/RDAWebAppServer.sh start

The latest rds-help.war file is now installed which does not have the security vulnerabilities.