Potential PAM vulnerability when adding jk-manager or jk-status to PAM url

Document ID : KB000123463
Last Modified Date : 01/02/2019
Show Technical Document Details
Issue:
A vulnerability report from an outside researcher identified a potential vulnerability.  It involved the use of /jk-manager or /jk-status on a PAM url.  https://capam01/jk-manager resulted in the following:
User-added image

https://capam01/jk-status resulted in the following:
User-added image
Resolution:
The problem is addressed as follows:
a) The next release - PAM 3.3 - scheduled for first half 2019.
b) The current GA release - PAM 3.2.3.
c) The GA - 1 release - PAM 3.1.4 (scheduled for February 2019)


There are no plans to do anything for earlier SPs on the 3.2.x and 3.1.x codelines. - an SP is the latest sustaining patch level, the SP is not a release in itself.

The only non EOL GA version that has not been covered is the 3.0.x release. There are no plans to do another sustaining SP for that GA - 2 codeline.