PM43792; 6.1.0.9: Possible security exposure with WebSphere Application Server

Download

Abstract

Possible security exposure with WebSphere Application Server with WS-Security enabled JAX-WS applications using LTPA tokens

Download Description

PM43792 resolves the following problem:

ERROR DESCRIPTION:
An error in web services security (WS-Security) processing of an inbound LTPA token may cause a user to gain elevated privileges on the provider system.

USERS AFFECTED:
IBM WebSphere Application Server Feature Pack for Web Services users of WS-Security enabled JAX-WS applications and LTPA tokens.

PROBLEM DESCRIPTION:
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system caused by an error in the LTPA token.

RECOMMENDATION:
Install a fix pack or ifix that contains this APAR.

Do one of the following:
* Install a fix pack 6.1.0.41 or later.
* Install interim fix 6.1.0.9-WS-WASWebSvc-IFPM43792.pak

Also investigate the corresponding fix for the JAX-RPC runtime on APAR PM45181.

PROBLEM CONCLUSION:
The WS-Security runtime is updated to fix this potential security vulnerability.

This issue exists in IBM WebSphere Application Server 7.0.0.0 through 7.0.0.21 and 8.0.0.0 through 8.0.0.2; it is fixed under APAR PM43585.
This issue also exists for the JAX-RPC runtime in IBM Application Server 6.0.2.0 through 6.0.2.43, 6.1.0.0 through 6.1.0.41, 7.0.0.0 through 7.0.0.21, and 8.0.0.0 through 8.0.0.2; it is fixed under APAR PM45181

The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.41. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"5974","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM43792/readme.txt"}]

          [{"DNLabel":"6.1.0.9-WS-WASWebSvc-IFPM43792","DNDate":"1 May 2012","DNLang":"US English","DNSize":"18671","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.9-WS-WASWebSvc-IFPM43792&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM43792/6.1.0.9-WS-WASWebSvc-IFPM43792.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM43792/6.1.0.9-WS-WASWebSvc-IFPM43792.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/support/entry/portal/Overview/Software/WebSphere/WebSphere_Application_Server), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.11;6.1.0.13;6.1.0.15;6.1.0.17;6.1.0.19;6.1.0.21;6.1.0.23;6.1.0.25;6.1.0.27;6.1.0.29;6.1.0.31;6.1.0.33;6.1.0.35;6.1.0.37;6.1.0.39;6.1.0.9","Edition":"Advanced;Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PM43792

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24032573

Tips