Re: Passwords in Net.Commerce/WebSphere decryptable, any version

[IBM MSS Advisory Service <advisory () US IBM COM>]

                            IBM Global Services
                         Managed Security Services
                      Outside Advisory Redistribution

8 MAR 2001  2:11 GMT                              MSS-OAR-E01-2001:087.1
===========================================================================
The MSS Outside Advisory Redistribution is designed to provide customers of
IBM Managed Security Services with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents
or accuracy of the advisories themselves.

IBM MSS is forwarding the following information from IBM.
Contact information for IBM is included in the forwarded text
below. Please contact them if you have any questions or need further
information.
===========================================================================
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Special Security Notice for IBM Net.Commerce and IBM WebSphere Commerce
Suite Version 4.1 Customers.  This does not apply to Customers of the
current Version 5.1:

IBM understands that the quality and integrity of e-commerce sites is of
paramount importance.  As part of our ongoing monitoring of potential
security issues, we have learned that a "hacker tool" has been published
that could expose some web sites that have not taken preventive actions.
If you have WebSphere Commerce Suite 4.1 or any previous release* and
have not yet implemented the fixes recommended by IBM in November 1999
and February 2001
(http://www-4.ibm.com/software/webservers/commerce/wcs_start/support.html),
we strongly encourage you to implement those steps immediately.  This is
particularly important for those customers who have custom macros or are
using sample code on their production servers.

In addition to those steps, we recommend that you ensure that you have
properly customized the default merchant key shipped with the product.
To assist you in customizing the key, beginning on March 8th IBM will
make available a special utility.  Please see the IBM WebSphere Commerce
Suite support web site at
http://www-4.ibm.com/software/webservers/commerce/wcs_start/support.html
to obtain a copy.  This utility should be used along with our
recommendations from November 1999 and February 2001.  Please refer to
"Known Securities Issues Bulletin #2001-2" under the section, "Technical
Notes - Hints & Tips - Security," at that URL.  Today we are also
posting at that URL information to assist you in determining if your
site has been compromised.

This is not an issue for WebSphere Commerce Suite Version 5.1.

Thank you for your attention to this important matter.  We encourage you
to continue checking the WebSphere Commerce Suite web site for
information and updates.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBOqbrLMXrSKQHhgFwEQJLPQCeP3ywnG25akWDHxN6zu+jdcTLDtUAoOXD
+OrhLTsfisZ8x8304aN3ekSQ
=HYOo
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
===========================================================================
IBM's Managed Security Services (MSS) is a subscription-based Internet
security response service that includes computer security incident response
and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM MSS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures
across your Internet connection(s).

As a part of IBM's Business Continuity and Recovery Service IBM's Managed
Security Services is a component of IBM Global Services Privacy and
Security Services suite of offerings.  To find out more about IBM Managed
Security Services, send an electronic mail message to
ers-sales () ers ibm com, or call 1-800-426-7378.

IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.

IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information.  The
IBM MSS PGP* public key is available from
   http://www.ers.ibm.com/team-info/pgpkey.html
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
IBM Managed Security Services.  Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or
implied, or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, apparatus, product, or
process contained herein, or represents that its use would not infringe any
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by IBM or its subsidiaries.  The views and
opinions of authors expressed herein do not necessarily state or reflect
those of IBM or its subsidiaries, and may not be used for advertising or
product endorsement purposes.
===========================================================================