Accessing the IBM Rational Automation Framework web user interface via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.
| Subscribe to My Notifications to be notified of important product support alerts like this.
**CVEID:**CVE-2012-4816
Description:
Accessing the Rational Automation Framework (RAF) web UI via the standard port 80 forces a login prompt to the user. However, a user can bypass this by hitting the default application server port 8080 and browsing various context roots until they locate the wizard.
CVSS Base Score: 7.5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/78379> for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Rational Automation Framework 3.0 and later on all supported platforms.
None
Workaround(s):
Environment Generation Security Patch for Tomcat
1. Modify the files below to fix the Env Gen Wizard default access without login.
Path: C:\IBM\\Apache\tomcat\conf
File: tomcat-users.xml
Add user profile between the <tomcat-users> tag
<role rolename="admin"/>
<user username="admin" password="test123" roles="admin"/>
2. Add the below components above the </web-app> tag
Path: C:\IBM\Apache\tomcat\webapps\rafw\WEB-INF
File: Web.xml
<security-role>
<role-name>admin</role-name>
</security-role>
<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
``
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Secure Area</realm-name>
</login-config>
3. Restart BuildForge.
Environment Generation Security Patch for WebSphere Application Server (WAS 7.0 & 8.0)
Update the web.xml File
1. There are two copies of the web.xml file, located in the following directories:
/WAS_install_root/installedApps/<cellname>/rweb.ear/rweb.war/WEB-INF/web.xml
/WAS_install_root/config/cells/<cellname>/applications/rweb.ear/deployments/rweb/rweb.war/WEB-INF/web.xml
Note: If this is a WebSphere Application Server Network Deployment, there is an additional web.xml that must be updated:
/IBM/WebSphere/AppServer/profiles/Dmgr01/config/cells/<dellname>/applications/rweb_war.ear/deployments/rweb_war/rweb.war/web.xml
2. Insert the below basic authentication and security role to the three web.xml files
<security-constraint>
<display-name>Environment Generation</display-name>
<web-resource-collection>
<web-resource-name>Security constraint for Env Gen</web-resource-name>
<url-pattern>/rafw/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
3. Enable WebSphere Application Server security:
Open WebSphere Administrative console using the url http://:/ibm/console
4. Map Security Roles in Web.xml to WAS Manage User/Group.
Use: https://:9443/rbf-services/LoginServlet if there is any problem in RAF server auto-redirect.
**Try logging in using default WAS port :http://:9080/rafw/env **
Mitigation(s):
None