Security Bulletin: Rational Automation Framework Environment Wizard Vulnerability (CVE-2012-4816)

Summary

Accessing the IBM Rational Automation Framework web user interface via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

**CVEID:**CVE-2012-4816

Description:
Accessing the Rational Automation Framework (RAF) web UI via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.

CVSS Base Score: 7.5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78379&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Rational Automation Framework 3.0 and later on all supported platforms.

Remediation/Fixes

None

Workarounds and Mitigations

Workaround(s):

Environment Generation Security Patch for Tomcat

1. Modify the files below to fix the Env Gen Wizard default access without login.

Path: C:\IBM\\Apache\tomcat\conf
File: tomcat-users.xml

Add user profile between the <tomcat-users> tag
<role rolename="admin"/>
<user username="admin" password="test123" roles="admin"/>

2. Add the below components above the </web-app> tag

Path: C:\IBM\Apache\tomcat\webapps\rafw\WEB-INF
File: Web.xml
<security-role>
<role-name>admin</role-name>
</security-role>

<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

``
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Secure Area</realm-name>
</login-config>

3. Restart BuildForge.

Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)

Update the web.xml File

1. There are two copies of the web.xml file, located in the following directories:

/WAS_install_root/installedApps/<cellname>/rweb.ear/rweb.war/WEB-INF/web.xml

/WAS_install_root/config/cells/<cellname>/applications/rweb.ear/deployments/rweb/rweb.war/WEB-INF/web.xml

Note: If this is a WebSphere Application Server Network Deployment, there is an additional web.xml that must be updated:

/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/<dellname>/applications/rweb_war.ear/deployments/rweb_war/rweb.war/web.xml

2. Insert the below basic authentication and security role to the three web.xml files

<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Security constraint for Env Gen</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>

<security-role>
<role-name>admin</role-name>
</security-role>

3. Enable WebSphere Application Server security:

Open WebSphere Administrative console using the url http://:/ibm/console

• In the WebSphere Application Server administrative console, click Security > Global Security.
• Select Enable administrative security.
• Ensure Enable application security is selected

4. Map Security Roles in Web.xml to WAS Manage User/Group.

• Select Application > WebSphere Enterprise Applications > Rational Automation Framework
• Under the Detailed Properties section you will see a link Security role to user/group mapping. _
  The link will appear only if your web.xml is setup correctly click the Security role to user/group mapping_
• Select the roles you wish to use for authentication
• Click on Map Users or Map groups
• Click search and select users (that are setup in your websphere under Users and Groups menu)
• Use the arrows to move the selected users/groups to the right hand box
• Click ok and save to master configuration.

Use: https://:9443/rbf-services/LoginServlet if there is any problem in RAF server auto-redirect.

**Try logging in using default WAS port :http://:9080/rafw/env **

Mitigation(s):

None