Bugtraq mailing list archives
Re: Passwords in Net.Commerce/WebSphere decryptable, any version
From: IBM MSS Advisory Service <advisory () US IBM COM>
Date: Wed, 7 Mar 2001 21:32:41 -0500
IBM Global Services Managed Security Services Outside Advisory Redistribution 8 MAR 2001 2:11 GMT MSS-OAR-E01-2001:087.1 =========================================================================== The MSS Outside Advisory Redistribution is designed to provide customers of IBM Managed Security Services with access to the security advisories sent out by other computer security incident response teams, vendors, and other groups concerned about security. IBM makes no representations and assumes no responsibility for the contents or accuracy of the advisories themselves. IBM MSS is forwarding the following information from IBM. Contact information for IBM is included in the forwarded text below. Please contact them if you have any questions or need further information. =========================================================================== ----------- Forwarded Information Starts Here. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Special Security Notice for IBM Net.Commerce and IBM WebSphere Commerce Suite Version 4.1 Customers. This does not apply to Customers of the current Version 5.1: IBM understands that the quality and integrity of e-commerce sites is of paramount importance. As part of our ongoing monitoring of potential security issues, we have learned that a "hacker tool" has been published that could expose some web sites that have not taken preventive actions. If you have WebSphere Commerce Suite 4.1 or any previous release* and have not yet implemented the fixes recommended by IBM in November 1999 and February 2001 (http://www-4.ibm.com/software/webservers/commerce/wcs_start/support.html), we strongly encourage you to implement those steps immediately. This is particularly important for those customers who have custom macros or are using sample code on their production servers. In addition to those steps, we recommend that you ensure that you have properly customized the default merchant key shipped with the product. To assist you in customizing the key, beginning on March 8th IBM will make available a special utility. Please see the IBM WebSphere Commerce Suite support web site at http://www-4.ibm.com/software/webservers/commerce/wcs_start/support.html to obtain a copy. This utility should be used along with our recommendations from November 1999 and February 2001. Please refer to "Known Securities Issues Bulletin #2001-2" under the section, "Technical Notes - Hints & Tips - Security," at that URL. Today we are also posting at that URL information to assist you in determining if your site has been compromised. This is not an issue for WebSphere Commerce Suite Version 5.1. Thank you for your attention to this important matter. We encourage you to continue checking the WebSphere Commerce Suite web site for information and updates. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQA/AwUBOqbrLMXrSKQHhgFwEQJLPQCeP3ywnG25akWDHxN6zu+jdcTLDtUAoOXD +OrhLTsfisZ8x8304aN3ekSQ =HYOo -----END PGP SIGNATURE----- ----------- Forwarded Information Ends Here. =========================================================================== IBM's Managed Security Services (MSS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM MSS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Continuity and Recovery Service IBM's Managed Security Services is a component of IBM Global Services Privacy and Security Services suite of offerings. To find out more about IBM Managed Security Services, send an electronic mail message to ers-sales () ers ibm com, or call 1-800-426-7378. IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM MSS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM MSS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. The information in this document is provided as a service to customers of IBM Managed Security Services. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. ===========================================================================
Current thread:
- Passwords in Net.Commerce/WebSphere decryptable, any version Rasmus Petersen (Mar 06)
- <Possible follow-ups>
- Re: Passwords in Net.Commerce/WebSphere decryptable, any version IBM MSS Advisory Service (Mar 07)