IBM Support

URGENT WARNING! Possible security exposure on April 26, 2012, if using the Web Server Plug-in for WebSphere Application Server

Flash (Alert)


SSL connections between the plug-in and WebSphere Application Server might fail or revert to non-SSL after the shipped version of the plugin-key.kdb password expires April 26, 2012 US EDT.


CVE ID: CVE-2012-2162
If you are using the WebSphere Key and Certificate Management generated plug-in key store you are NOT affected. If, however, you are using the key store installed by default with the Web Server Plug-in for WebSphere Application Server and you have NEVER changed the key store's password, then you must change the plug-in key store's password, which removes the pending password expiration, to avoid a security exposure. Generally, as a best practice, IBM recommends you always change passwords from the default value to enhance the security of your system.

In reference to this specific security exposure concern, a majority of users do not reference the affected file at runtime and therefore are not impacted. However, a small minority of users must take action and use certificate management tools to remove the password expiration prior to April 26, 2012 to avoid experiencing this issue.

If you have addressed the plugin-key.kdb password expiration issue as outlined in the Flash titled "Password to the plugin-key.kdb will expire on April 26, 2012 US EDT", no further review or action is required.

If you have NOT reviewed and addressed the Flash above, as indicated, please review and follow the actions as described.

This Flash is intended as an urgent warning about the mode of failure you might experience after the April 26, 2012 US Eastern password expiration if action is not taken prior to that date.

Versions affected:

All versions of WebSphere Application Server for Distributed, IBM i, and z/OS operating systems (e.g., V8.0 and earlier) have the potential to be affected.

    Note: Versions 6.0 and earlier are no longer in service. The purchase of a Support Extension might be required, if additional assistance is needed, unless you are otherwise entitled to support.

Problem Description:

The following is the description of the mode of failure which will occur after the plug-in's key store password expiration date, however it ONLY applies to users with affected web servers who have NOT taken the prescribed action.

The WebSphere Application Server web server plug-in (web server plug-in) comes with a plugin-key.kdb file upon installation. The default password of WebAS is set to expire by April 26, 2012 US EDT.
After the password expiration date passes, the next time the web server running the web server plug-in is restarted, or the next time the plugin-cfg.xml is modified, the HTTPS (SSL) connectivity between the web server plug-in and the WebSphere Application Server might fail or revert to a non-SSL function and will not be encrypted.

This has no affect on the connection between the client (browser) and the web server that do not use the plugin-key.kdb for their certificate exchange. Only connections between the web server plug-in and the WebSphere Application Server will have the problem. For systems that use this file for their web server security, corrective action will need to taken as outlined in the Flash.

In some less common configurations, in which HTTP transports have been explicitly disabled, blocked, or removed, the web server plug-in will fail to forward the incoming requests returning an immediate error (HTTP 500 -- Internal Server Error).


Review and follow the prescribed actions, as appropriate, in the Flash titled "Password to the plugin-key.kdb will expire on April 26, 2012 US EDT".


Complete CVSS Guide v2
On-line Calculator V2

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Plug-in z/OS, OS/390 8.0, 7.0, 6.1, 6.0, 5.1

Document information

More support for: WebSphere Application Server

Software version: 6.0, 6.1, 7.0, 8.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Base, Developer, Express, Network Deployment

Reference #: 1591172

Modified date: 18 April 2012