MANDATORY: WAS patch for Connections 3.0 deployments

We have issued a flash for a serious security issue that was discovered Friday.  We want to ensure that all customers using Connections 3.0 apply this patch – certainly if they are in production, but also if they have pilots where a breach in the security of the logon would be an issue.

https://www-304.ibm.com/support/docview.wss?mynp=OCSSYGQH&mync=E&uid=swg21462435&myns=swglotus

We are reaching out individually to the customers we know are in production, but would like your assistance to ensure that customers act on this flash as appropriate.

Here is the information I’ve been sharing with customers beyond the info in the tech note:
The issue was found internally by our team.  There are no public disclosures of the vulnerability at this time, and no evidence that anyone has found or exploited the issue yet.  We won’t be sharing any information on the nature of the issue, in order to minimize the risk of a public disclosure.

It is a WAS issue, specific to WAS 7.0.0.x, and the WAS patch completely protects against the issue.

Whether the customer has seen an issue or not, they are exposed.

Our own evaluation of the threat level of this specific exposure dictated that the patch be applied immediately to Greenhouse for example.

We have also created Connections ifixes to make us less exposed to WAS bugs in this area in  the future..  They aren’t mandatory, just additional defensive code.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s