Apache Struts security issues ‐ time to patch your IBM Connections install

I’ve just come across an IBM technote from May 2014 that has been updated over the last few days, listing details of a number of vulnerabilities in Apache Struts:

[titled_box title=”Vulnerability Details”]Several security vulnerabilities have been reported against Apache Struts through April 2014. IBM Connections uses Struts. A version of the package that is vulnerable to these issues is used in several past versions of IBM Connections. To fix these vulnerabilities apply the fixes as detailed in the Remediation section.

The following versions of IBM Connections are impacted:

IBM Connections 5.0
IBM Connections 4.5
IBM Connections 4.0
IBM Connections and earlier releases[/titled_box]

There are fixes for all the above mentioned versions of Connections.  Here are the two most recent:

IBM Connections 5.0 Apply APAR LO80688
IBM Connections 4.5 Upgrade to IBM Connections 4.5 CR4 and apply Interim Fix APAR LO81215

I would definitely recommend getting these security fixes on ASAP, particularly if your IBM Connections platform is public-facing…

Warning for IBM Connections admins – change that Plugin keyfile password!

If you are running IBM Connections (any version) and have configured your SSL connect between the HTTP Server and WAS by importing the WAS SSL certificate into the Plugin keyfile (versus creating your own keyfile) and haven’t changed the default password, go do so now!

As this IBM technote states, the default password expires on April 26th, 2012:

The password to the plugin-key.kdb file that is shipped with WebSphere Application Server expires on April 26, 2012 US EDT. On distributed this file is placed in the [Plugin_Home]/config/{webservername} directory when a web server plug-in is configured on an installed web server.


If you are using the WebSphere Key and Certificate Management generated plug-in key store you are NOT affected. If, however, you are using the key store installed by default with the Web Server Plug-in for WebSphere Application Server and you have NEVER changed the key store’s password, then you must change the plug-in key store’s password, which removes the pending password expiration, to avoid a security exposure. Generally, as a best practice, IBM recommends you always change passwords from the default value to enhance the security of your system.

In reference to this specific security exposure concern, a majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this issue.

All the instructions for fixing this issue are contained in the technote, so take a read and make sure you’ve got this covered.

For the record, my advice when configuring a new Connections environment is to create a new keyfile with your own password, create a self-signed certificate or request a certified one from Verisign etc, then to import the certificates into WAS.  This is all detailed in the presentation that Rob Wunderlich and I gave at Lotusphere 2011.