PK80627; Possible security exposure with XML digital signature.

Download

Abstract

Possible security exposure with XML digital signature.

Download Description

PK80627 resolves the following problem:

ERROR DESCRIPTION:
Possible security exposure with XML digital signature.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
WebSphere Application Server Feature Pack for WebServices users of WS-Security JAX-WS enabled applications using MAC algorithm (shared secret key) such as http://www.w3.org/2000/09/xmldsig#hmac-sha1 for message integrity.

PROBLEM DESCRIPTION:
Web services messages that do not follow XML digital signature best practice may be accepted by the Application Server if those messages otherwise satisfy quality of service policy requirements.

RECOMMENDATION:
Apply APAR PK80627 or a Fix Pack containing this APAR.

PROBLEM CONCLUSION:
The WS-Security runtime was updated to reject messages that do not follow XML digital signature best practice.

Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

The fix for this APAR is currently targeted for inclusion in Fix Pack 6.1.0.25. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"6078","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80627/readme.txt"}]

          [{"DNLabel":"6.1.0.17-WS-WASWebSvc-IFPK80627","DNDate":"7/10/2009","DNLang":"US English","DNSize":"1314112","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.17-WS-WASWebSvc-IFPK80627&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80627/6.1.0.17-WS-WASWebSvc-IFPK80627.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80627/6.1.0.17-WS-WASWebSvc-IFPK80627.pak"},{"DNLabel":"6.1.0.23-WS-WASWebSvc-IFPK80627","DNDate":"7/10/2009","DNLang":"US English","DNSize":"997110","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.23-WS-WASWebSvc-IFPK80627&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80627/6.1.0.23-WS-WASWebSvc-IFPK80627.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80627/6.1.0.23-WS-WASWebSvc-IFPK80627.pak"},{"DNLabel":"6.1.0.21-WS-WASWebSvc-IFPK80627","DNDate":"7/10/2009","DNLang":"US English","DNSize":"1036803","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.21-WS-WASWebSvc-IFPK80627&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80627/6.1.0.21-WS-WASWebSvc-IFPK80627.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80627/6.1.0.21-WS-WASWebSvc-IFPK80627.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.17;6.1.0.21;6.1.0.23","Edition":"Advanced;Base;Enterprise","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PK80627

Was this topic helpful?

Document Information

Modified date:
07 October 2019

UID

swg24023723

Tips