We have issued a flash for a serious security issue that was discovered Friday. We want to ensure that all customers using Connections 3.0 apply this patch – certainly if they are in production, but also if they have pilots where a breach in the security of the logon would be an issue.
https://www-304.ibm.com/support/docview.wss?mynp=OCSSYGQH&mync=E&uid=swg21462435&myns=swglotus
We are reaching out individually to the customers we know are in production, but would like your assistance to ensure that customers act on this flash as appropriate.
Here is the information I’ve been sharing with customers beyond the info in the tech note:
The issue was found internally by our team. There are no public disclosures of the vulnerability at this time, and no evidence that anyone has found or exploited the issue yet. We won’t be sharing any information on the nature of the issue, in order to minimize the risk of a public disclosure.
It is a WAS issue, specific to WAS 7.0.0.x, and the WAS patch completely protects against the issue.
Whether the customer has seen an issue or not, they are exposed.
Our own evaluation of the threat level of this specific exposure dictated that the patch be applied immediately to Greenhouse for example.
We have also created Connections ifixes to make us less exposed to WAS bugs in this area in the future.. They aren’t mandatory, just additional defensive code.
