Download
Abstract
Possible security exposure with WebSphere Application Server with WS-Security enabled JAX-WS applications using LTPA tokens
Download Description
PM43792 resolves the following problem:
ERROR DESCRIPTION:
An error in web services security (WS-Security) processing of an inbound LTPA token may cause a user to gain elevated privileges on the provider system.
USERS AFFECTED:
IBM WebSphere Application Server Feature Pack for Web Services users of WS-Security enabled JAX-WS applications and LTPA tokens.
PROBLEM DESCRIPTION:
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system caused by an error in the LTPA token.
RECOMMENDATION:
Install a fix pack or ifix that contains this APAR.
Do one of the following:
* Install a fix pack 6.1.0.41 or later.
* Install interim fix 6.1.0.9-WS-WASWebSvc-IFPM43792.pak
Also investigate the corresponding fix for the JAX-RPC runtime on APAR PM45181.
PROBLEM CONCLUSION:
The WS-Security runtime is updated to fix this potential security vulnerability.
This issue exists in IBM WebSphere Application Server 7.0.0.0 through 7.0.0.21 and 8.0.0.0 through 8.0.0.2; it is fixed under APAR PM43585.
This issue also exists for the JAX-RPC runtime in IBM Application Server 6.0.2.0 through 6.0.2.43, 6.1.0.0 through 6.1.0.41, 7.0.0.0 through 7.0.0.21, and 8.0.0.0 through 8.0.0.2; it is fixed under APAR PM45181
The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.41. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/support/entry/portal/Overview/Software/WebSphere/WebSphere_Application_Server), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24032573