WebSphere Cast Iron Hypervisor Delivers Xen Support

WebSphere Cast Iron Hypervisor fix pack version 7.0.0.1 became available on June 30, 2014, and with it came support for the Xen server as hosting environment.
Cast Iron Hypervisor delivers rapid cloud integration for companies that want to harmonize business processes across a hybrid landscape. Cast Iron delivers elegant integration solutions like the ability to:

  • Quickly connect cloud and on-premise applications
  • Chaperone legacy integrations into the cloud
  • Collaborate with IBM Worklight to externalize mobile-app enterprise data and processes

With the 7.0.0.1 fix pack, Hypervisor can now run on one of these following hosting environments:

  • VMware ESX/ESXi 4.1, 5.0 or 5.1
  • IBM PureApplication System W1500 1.0.0.4
  • Xen server 4.1.2 running on Red Hat Enterprise Linux (RHEL) Server release 5.6 and later 6.0

TxMQ offers full Cast Iron service and support. Contact VP Miles Roty for more information: miles@txmq.com, 716-636-0070 x228.
 

IBM's Big Spend: $3 Billion To Reach 7 Nanometers

I get excited when I hear about major new R&D, backed by major investment, all for a major goal. Like this one: IBM’s long-term goal to build a neurosynaptic system with ten billion neurons and a hundred trillion synapses, all while consuming only one kilowatt of power and occupying less than two liters of volume.
As a step toward that goal, IBM is committing $3 billion over the next 5 years for R&D to push the limits of chip technology. Cloud computing and big-data systems pose new demands like bandwidth-to-memory, high-speed communication and power consumption, which in turn demand more horsepower. IBM wants to breed the ultimate thoroughbred. So it’s using the $3 billion spend to push the limits of chip technology to smaller and more powerful scales. The R&D teams will include IBM research scientists from Albany and Yorktown, N.Y., Almaden, Calif. and Europe.
What’s really interesting is the semiconductor threshold: IBM says it wants to use the $3 billion to pave the way toward the 7 nanometer plateau (10,000 times thinner than a strand of human hair). IBM researchers and other semiconductor experts predict that while challenging, semiconductors show promise to scale from today’s 22-nanometer standard down to 14 and then 10 nanometers in the next several years. However, scaling to 7 nanometers (and perhaps below) by the end of the decade will require significant investment and innovation in semiconductor architectures as well as invention of new tools and techniques for manufacturing.
What happens beyond 7 nanometers? Then it’s time to ditch silicon and move to potential alternatives like carbon nanotubes or non-traditional computational approaches such as neuromorphic computing, cognitive computing, machine-learning techniques and quantum computing. So the quicker we get to 7 nanometers, the quicker we break into the promise of, say, quantum computing. And the quicker we break into the next computing revolution, the quicker we reach defining milestones of human history like interstellar travel and the end of disease. I firmly believe that.
IBM chip timeline

TxMQ helping customers move to IBM IIB

IBM has announced End of Support for several integration products.
Are you invested in WPS, WESB, or other IBM software slated for “sunset”?
End of life is approaching for some popular WebSphere products, now mapped towards IBM Integration Bus, or IIB.
TxMQ is helping customers make the move to IBM IIB.
Whether your migration path is from WebSphere Message Broker, WESB, and/or Process Server – TxMQ has the skills and experience to help you implement IIB, and deploy your workloads over as efficiently as possible.
Call us today for a no obligation, no charge evaluation and consultation.
Photo Provided by Allan English CPA
 

TxMQ Again Named One Of WNY's Fastest Growing Companies

For the third consecutive year, TxMQ has made the top 5 list of Western New York’s fastest growing companies. Last year TxMQ took top honors and this year, we placed 3rd. This rounds out three years of being in the top 5, placing 5th in 2011.
Guess what, folks? I think that’s pretty incredible. When it comes to businesses, it’s hard to maintain steady growth over a three year period. All companies experience ups and downs that reflect a variety of reasons, many times not reflective of the company itself, but extraneous factors controlled by clients’ budgets, economy, etc.
I’m proud to work for this company. I’m proud of the integrity TxMQ shows on a daily basis. I’m proud to represent a company who always puts our clients’ needs before anything else.
It’s a company who rewards its employees for hard work with things like flex time, paid gym memberships and yoga Wednesdays. It’s a company run by a man with a family who understands there’s more to life than working 24×7. However, he creates an atmosphere that makes you want to go above and beyond to make TxMQ just that much more successful.
Having been the one to accept the award on TxMQ’s behalf last night, I was honored to walk up to the front and shake hands with the presenters. I took pride in the applause that was given because the folks attending the reception understand just what an accomplishment it is to make the list even once. We’ve made it three years in a row.
Know why else I am so proud of this company? This growth over the past three years has been completely reflective of our ability to step outside the box and play outside of our comfort zone. The success is solely indicative of a company who has worked hard to tailor our services around what we know our clients need, and not necessarily just the easiest path to make money.
It’s a reflection of our bold foray into new services and taking chances on hiring and retaining the best possible bench talent that the industry can provide. Our subject matter experts, Bob Becktell, Gary Dischner, Allan Bartleywood, Arthur Rodriguez, Cindy Gregoire and others are steeped in talent and have cultivated knowledge for years and years within this industry.
Growth isn’t easy. It requires a CEO who wants to take chances and it requires a team who does doesn’t want to rest at being status quo. Four years ago, when I joined TxMQ, we were an IT staffing company. A body shop, per se. Now, through the strategic planning and efforts of the leadership, sales, recruiting, marketing and technical teams, we are a company built on solutions. We provide one of the largest technology providers in the world, IBM, with our consultants, knowledge and support. We have custom tailored enterprise IBM solutions from software and appliance sale to architecture of the solution.
But what’s even better about TxMQ, and something we look forward to building out and marketing in the latter part of 2014 is that we don’t only support IBM customers. While it’s a legacy skill set, we have the talent, resources and wherewithal to support customers running on any platform. We want to get our hands dirty in any platform our customers need help with. Because of this agnostic approach, I believe you will once again see TxMQ as a Top 5 company in 2014 as well.
Check back in the next year, because great things are continuing to happen here at TxMQ! Follow us on LinkedIn, Twitter and Facebook to stay up to date on all things new at TxMQ.

Predicting Tech: Is This The True Rush To The Cloud?

A few thoughts on cloud with an hour left at work on a Friday.

Hosted services aren’t new. Virtualization isn’t new. The practice of hosting applications grew out of advancements in virtualization technology. Remember it was mainframes that began offering “virtualized partitions” – what we know of today as logical partitions, or what were called LPARs in the 1960s. This technology eventually moved to the distributed world and allowed single physical boxes to host multiple, isolated environments or clients. Thus was born the first hosted applications, or what we can consider early cloud solutions.

Today the technology has advanced far beyond these simple examples. Hardware’s virtualized. So are applications. Memory, IO and network connectivity are not only virtualized, but now also managed (either by the hardware, the operating system or third-party software) to involve real-time redundancy and failover to produce nearly 100% uptime availability.

Thus we see old factory buildings and warehouses being repurposed as datacenters. Add in some redundant power, cooling and network connections and anyone can set up and host a cloud server farm. Seems like the rush has arrived, right?

Not so fast. There is a bullrush to move everything possible into the cloud. For the public at large, it’s a great way to store and access music, share photos, run productivity applications like Salesforce and Word and stream video. For a business, it’s a great way to add functionality without increased overhead. You don’t need a cross-company hardware upgrade or extra seat to support a new bit of enterprise software. The software is hosted, it runs through a browser and the cloud services provider handles backup, availability and most support (which you’ll want to confirm and evaluate, of course).

Yet for all the hype, the true rush-to-cloud hasn’t yet begun. Remember, when you move any portion of business or functionality into the cloud, you’re inevitably going to face bandwidth issues like massive upload queues, taxed servers, partial data loss or decay and all the other headaches that come from relying on someone else to deliver functionality that used to reside in-house. Total solutions have not yet arrived, but are on the way.

That’s why I argue that the true cloud rush probably won’t come until sometime in late-2015/early-2016.

What do you think? And why? Sound off in the comments section below.

Want to know more about how to move into the cloud? Contact TxMQ: (716) 636-0070 or consulting@txmq.com.

Heartbleed Attack

Bleeding Heart flowers are beautiful. Fragrant, indicative of summer, warm breeze, sunshine…ahhhh. Heartbleed? Another story. This is the newest internet virus attacking the security of millions of websites. It’s such a big deal that experts in security industries are using terms like “catastophic” and “devastating.” And unfortunately, there’s not much we can do to fix it. According to tomsguide.com, Heartbleed mainly creates problems on Web and email servers. Windows PCs, Macs and mobile devices aren’t directly affected, and antivirus software has no impact on Heartbleed. While systems admins across the globe are scrambling to patch server network, the average internet user can do nothing but sit back and wait it out. If you want to be proactive in your efforts, here are some things you can do:
1. Change your passwords – Tumblr, Flickr, and Yahoo were particularly vulnerable to Heartbleed. Unlike many prominent sites, these three sites did not patch systems before the Heartbleed bug became public knowledge on Monday, April 7, 2014. “Security researchers…[April 8] used Heartbleed to capture usernames and passwords as random people logged into their Yahoo! mail accounts. If the good guys were doing that, you can bet the bad guys were, too.” If your Yahoo! password is used for any other accounts you have online, you should also change the password to those accounts.
2. Change Google, Facebook and Dropbox Passwords, too. Even though it has not been proven these sites were susceptible to this particular attack, they were vulnerable against it in past years. One of the most tricky things about Heartbleed is it’s ghostly appearance. It can attack and leave no trace behind. Systems administrators may never know that they have been compromised.
3. Log out of all apps on mobile devices. A lot of times, mobile apps use authorization tokens to keep you logged in, especially to Gmail, Dropbox and Yahoo! mail. If you manually log out of those mobile services, then log back in, all your previous tokens will be cleared and replaced with new ones.
4. Change your password when asked. Even if you change your password now, some systems may request you change your password again in a few days. If you’re asked again, do it. It’s for your own good after those breached have been able to sort out their issues left by the attack.
5. If you have Linux, update your OS. Ubuntu Linux is particularly vulnerable, which means it derivations from Linux Mint and SteamOS likely are, too.
6. Set up two-factor authentication. Many sites offer two-step authentication, which means that attackers can only log in on a remote device if they actually physically have the device. Several sites, including Google, Facebook, Twitter, Yahoo, Dropbox Microsoft and LinkedIn all offer two-factor authentication. Most servers that use Microsoft weren’t impacted by Heartbleed, and many other major sites like Amazon, eBay, Paypal and most major banks weren’t either.
PROMINENT SITES TO CHANGE PASSWORDS

  • Yahoo!
  • Flickr
  • Tumblr
  • Ars Technica
  • IFTTT
  • Blogger/Bloggspot
  • Dropbox
  • Facebook
  • Electronic Frontier Foundation
  • Etsy
  • Google
  • Imgur
  • Instagram
  • Netflix
  • OKCupid
  • Pinterest
  • Stack Overflow
  • Wikipedia
  • Woot
  • WordPress.com/Wordpress.org
  • YouTube

(Photo courtesy of Flickr contributor Global Panorama.)

Cyber Attack Impacts Another Large Business

Sally Beauty Supply is the latest company to have their systems breached because of a cyber attack. Confidential customer data, including credit card numbers, were stolen.
In early March, Sally Beauty representatives discovered that at least 25,000 credit card numbers were uncovered.
“Our customers remain our top priority,” Chairman, President and CEO Gary Winterhalter said in a press release.
Sally Beauty joins the list of retail organizations to be hacked within the past several months, joining Neiman Marcus and Target.
Start thinking proactively about your security and compliance before it’s too late; nobody is immune. Where are the gaps in your systems?
Find out today. Call Wendy Sanacore at TxMQ, 716-636-0070 (229) or email wendy@txmq.com
source: http://m.bizjournals.com/dallas/blog/morning_call/2014/03/sally-beauty-data-breach-is-bigger-than-earlier.html?r=full
(Photo: From screensaver by iProton.)

Microsoft Ending Technical Support On XP

According to the Boston Globe (March 13, 2014) almost 30% of the world’s desktop computers run Microsoft Corp.’s Windows XP, as do 95% of the world’s ATMs (per ATM maker NCR Corp.).
However, on April 8, 2014, Microsoft will stop providing technical support for the software. After the XP sunset, there won’t be any further updates or security patches, and protecting any sensitive data you may have from online piracy may prove to be difficult. You may become a ticking time bomb.
Microsoft will continue to update the XP version of its free Security Essentials program until July 2015. Other security software makers will do the same, but virus programs usually filter out attacks only after the damage is done. Besides, the security flaw that made the attack possible will still be present.
In addition, they’re saying that one single compromised computer in the home or office network exposes all the other computers to attack.
So what are your options?
1. Buy a new computer
2. Install the open operating system, Linux, as an easy interface with Windows
3. Complete a full Windows upgrade, with computers running on Windows 7 instead of Windows 8 which has been labeled by many as user-unfriendly.
4. Purchase an external harddrive and use it to back up all files on your old machine
Source: http://www.bostonglobe.com/business/2014/03/12/for-windows-end-nigh-and-that-good/XH7GAsQ9Xs3IpXzDu2wrcO/story.html
(Photo: Sunset background courtesy of Kevin Dooley on Flickr.)

IBM Announces Fix Packs

Fix Central

 
Fix Central provides fixes and updates for your system’s software. You can find the fix or fixes you are looking for by searching by product, by fix ID, or by APAR. Fix Central also helps you identify any prerequisite or co-requisite fixes associated with the fixes you want to download.
New Fix Packs
8.5.0.2: WebSphere Application Server V8.5 Fix Pack 2 
IBM WebSphere Application Server Version 8.5 Fix Pack 2 for all platforms, also known as Version 8.5.0.2
8.0.0.8: WebSphere Application Server V8.0 Fix Pack 8 
IBM WebSphere Application Server Version 8.0 Fix Pack 8 for all platforms, also known as Version 8.0.0.8
7.0.0.31: WebSphere Application Server V7.0 Fix Pack 31 
IBM WebSphere Application Server Version 7.0 and WebSphere DMZ Secure Proxy Server Version 7.0 Fix Pack 31 for all platforms, also known as Version 7.0.0.31
7.0.0.31: Java SDK 1.6 SR15 Cumulative Fix for WebSphere Application Server 
IBM WebSphere Application Server Cumulative Fix for IBM SDK, Solaris Java? SDK and HP-UX Java SDK.
Recommended fixes for WebSphere Application Server 
A comprehensive list of recommended, generally available (GA) fixes for IBM WebSphere Application Server releases. Fix packs are cumulative. When a prerequisite or co-requisite fix pack is recommended, that specific fix pack or a later fix pack can be applied. For example, if Fix Pack 7.0.0.9 is required, applying Fix Pack 7.0.0.9, 7.0.0.11, 7.0.0.13, or a later fix pack is valid. Tables are organized by version in the order they were released.
IBM Electronic Support 
IBM Electronic Support offers on-line support tools and resources to help you diagnose and resolve problems, and maintain your IBM products.
IBM Software Support Lifecycle 
Find detailed information about the available IBM Software Support Lifecycle Policies to help you realize the full value of your IBM software products.
IBM Support Assistant News 
This document provides the latest news and announcements for IBM Support Assistant V5 Team Server and IBM Support Assistant V4.1 Workbench.
Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.31
Cross reference list for security vulnerabilities fixed in IBM WebSphere Application Server Fix Pack 7.0.0.31
Security Bulletin: Potential Security Vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.8 
Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.8
PM91417;7.0.0: provide option for backwards compatibility for earexpander 
Partial application updates will not update JARs in non-active Java EE locations.
Recommended values for web server plug-in config 
In the web server plug-in, what do the LoadBalanceWeight, MaxConnections, ConnectTimeout, ServerIOTimeout, RetryInterval, IgnoreAffinityRequests, and GetDWLMTable options mean and what are the recommended settings for these options?
Exception occurs during recovery of Oracle database transactions 
When WebSphere Application Server attempts to recover Oracle database transactions and an exception is issued.
Using IBM Installation Manager for installing WebSphere Application Server Version 7.0 feature packs 
Usage of the IBM Installation Manager with IBM WebSphere Application Server Version 7.0 is limited to install, update, and uninstall of version 7 feature packs only.
Fixes by version for WebSphere Application Server 
A comprehensive list of recommended, generally available (GA) fixes for WebSphere Application Server releases.
(Photo: Wrenches 2 by Julia Manzerova, on Flickr)

Potential Security Issues fixed In IBM WAS 8.0.0.8

Beware potential forgery.
WebSphere Application Server (WAS) could be vulnerable to a cross-site request forgery, caused by improper validation of portlets in the administrative console. By persuading a user to visit a malicious web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81014 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server (IBM WAS) Versions are affected:
Version 8.5
Version 8.0
Version 7
Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM72275, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.25:
Apply Fix Pack 27 (7.0.0.27), or later.
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-4053 (PM90949 and PM91521)
DESCRIPTION: WebSphere Application Server using WS-Security and configured for XML Digital Signature using trust store, could allow a network attacker to gain elevated privileges on the system, caused by improper checking of the certificate.
CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86505 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF for WebSphere Application Server as noted below:
For IBM WebSphere Application Server (PM90949)
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
OR
APAR Interim Fix:
Find your applicable Version for APAR Interim Fix PM90949
Ensure you are at the minimally required Fix Pack Level before installing the APAR Interim Fix, then
Apply the APAR Interim Fix
For IBM WebSphere Application Server Feature Pack for Web Services (PM91521)
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
OR
APAR Interim Fix:
Find your applicable Version for APAR Interim Fix PM91521
Ensure you are at the minimally required Fix Pack Level before installing the APAR Interim Fix, then
Apply the APAR Interim Fix
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-4052 (PM91892)
DESCRIPTION: WebSphere Application Server could allow a cross-site scripting attack, caused by improper validation of input in the UDDI Administrative console. A network attacker could exploit this vulnerability using a specially-crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86504 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
Version 6.1
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM91892, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
For V6.1.0 through 6.1.0.45:
Apply Fix Pack 47 (6.1.0.47), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-5414 (PM92313)
DESCRIPTION: WebSphere Application Server could allow existing users to gain elevated privileges on the system caused by incorrect Administration Security roles being assigned after migration from version 6.1 or later.
NOTE: If a migration from WebSphere Application Server Version 6.1 or later has already been performed, all users designated with “adminsecmanager” (Administrative Security Manager) role need to be evaluated to determine if they should have both “admin” role and “adminsecmanager” role. Some users may not need both designations and the privileges should be removed accordingly.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87476 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM92313, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): If a migration from WebSphere Application Server Version 6.1 or later has already been performed, all users designated with “adminsecmanager” role need to be evaluated to determine if they should have both “admin” role and “adminsecmanager” (Administrative Security Manager) role. Some users may not need both designations and the privileges should be removed accordingly.
Mitigation(s): none
CVE ID: CVE-2013-5417 (PM93323 and PM93944)
DESCRIPTION: WebSphere Application Server could be vulnerable to cross-site scripting, caused by improper validation of application HTTP response data.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87479 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing APAR PM93323 for IBM WebSphere Application Server Full Profile or APAR PM93944 for IBM WebSphere Application Server Liberty Profile, as noted below:
For IBM WebSphere Application Server Full Profile
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
For IBM WebSphere Application Server Liberty Profile
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-5418 (PM96477)
DESCRIPTION: WebSphere Application Server could allow a cross-site scripting attack, caused by improper validation of input in the Administrative console. A remote attacker could exploit this vulnerability using a specially-crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87480 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM96477, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.0:
Apply Fix Pack 1 (8.5.5.1), or later.
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-6725 (PM98132)
DESCRIPTION: IBM WebSphere Application Server may be vulnerable to cross-site scripting, caused by improper validation of input in the Administrative Console. A remote attacker with Administrative authority could exploit this vulnerability using a specially-crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89280 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM98132, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.1:
Apply Fix Pack 2 (8.5.5.2), or later (targeted to be available 28 April 2014).
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): None
Mitigation(s): none
CVE ID: CVE-2013-6325 (PM99450)
DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service, caused by improper handling of requests by a web services endpoint. By passing a specially-crafted request, a remote attacker could exploit this vulnerability to consume available resources.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/88906 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
Version 8.5
Version 8
Version 7
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack or PTF containing this APAR PM99450, as noted below:
For IBM WebSphere Application Server
For V8.5 through 8.5.5.1:
Apply Fix Pack 1 (8.5.5.2), or later (targeted to be available 28 April 2014).
For V8.0 through 8.0.0.7:
Apply Fix Pack 8 (8.0.0.8), or later.
For V7.0 through 7.0.0.29:
Apply Fix Pack 31 (7.0.0.31), or later.
Workaround(s): None
Mitigation(s): none
IBM SDK: Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 7.0.0.31
http://www.ibm.com/support/docview.wss?&uid=swg21655990
Important note:
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
Reference: http://www-01.ibm.com/support/docview.wss?uid=swg21661325&acss=danl_334_email
(Photo courtesy of Flickr contributor brykmantra.)