PK80596: Possible security exposure with XML digital signature

Downloadable files


Abstract

Possible security exposure with XML digital signature

Download Description

PK80596 resolves the following problem:

ERROR DESCRIPTION:
Possible security exposure with XML digital signature.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
WebSphere Application Server users of JAX-WS and JAX-RPC applications using MAC algorithm (shared secret key) such as http://www.w3.org/2000/09/xmldsig#hmac-sha1 for message integrity.

PROBLEM DESCRIPTION:
Web services messages that do not follow XML digital signature best practice may be accepted by the Application Server if those messages otherwise satisfy quality of service policy requirements.

RECOMMENDATION:
Apply APAR PK80596 or a Fix Pack containing this APAR.

PROBLEM CONCLUSION:
The WS-Security runtime was updated to reject messages that do not follow XML digital signature best practice.

Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

The fix for this APAR is currently targeted for inclusion in Fix Packs 6.0.2.35, 6.1.0.25, and 7.0.0.3.

For JAX-WS applications running on WebSphere Application Server V6.1Feature Pack for WebServices, APAR PK80627 fixes this problem.

Please refer to the Recommended Updates page for delivery information:

http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 6232

Download package


Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
What is DD?
6.0.2.27-WS-WAS-IFPK80596 6/17/2009 US English 354385 FC FTP DD
6.0.2.31-WS-WAS-IFPK80596 6/17/2009 US English 56848 FC FTP DD
6.0.2.33-WS-WAS-IFPK80596 6/17/2009 US English 56840 FC FTP DD
6.1.0.17-WS-WAS-IFPK80596 6/17/2009 US English 660640 FC FTP DD
6.1.0.21-WS-WAS-IFPK80596 6/17/2009 US English 111428 FC FTP DD
6.1.0.23-WS-WAS-IFPK80596 6/17/2009 US English 111419 FC FTP DD

Technical support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

Problems (APARS) fixed
PK80596

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Web Services Security

Software version:

6.0.2.27, 6.0.2.31, 6.0.2.33, 6.1.0.17, 6.1.0.21, 6.1.0.23

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Base, Express, Network Deployment

Reference #:

4023545

Modified date:

2009-07-10

Translate my page

Machine Translation

Content navigation