PK80627; Possible security exposure with XML digital signature.

Downloadable files


Abstract

Possible security exposure with XML digital signature.

Download Description

PK80627 resolves the following problem:

ERROR DESCRIPTION:
Possible security exposure with XML digital signature.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
WebSphere Application Server Feature Pack for WebServices users of WS-Security JAX-WS enabled applications using MAC algorithm (shared secret key) such as http://www.w3.org/2000/09/xmldsig#hmac-sha1 for message integrity.

PROBLEM DESCRIPTION:
Web services messages that do not follow XML digital signature best practice may be accepted by the Application Server if those messages otherwise satisfy quality of service policy requirements.

RECOMMENDATION:
Apply APAR PK80627 or a Fix Pack containing this APAR.

PROBLEM CONCLUSION:
The WS-Security runtime was updated to reject messages that do not follow XML digital signature best practice.

Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

The fix for this APAR is currently targeted for inclusion in Fix Pack 6.1.0.25. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 6078

Download package


Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
What is DD?
6.1.0.17-WS-WASWebSvc-IFPK80627 7/10/2009 US English 1314112 FC FTP DD
6.1.0.23-WS-WASWebSvc-IFPK80627 7/10/2009 US English 997110 FC FTP DD
6.1.0.21-WS-WASWebSvc-IFPK80627 7/10/2009 US English 1036803 FC FTP DD

Technical support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

Problems (APARS) fixed
PK80627

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Web Services Security

Software version:

6.1.0.17, 6.1.0.21, 6.1.0.23

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Advanced, Base, Enterprise

Reference #:

4023723

Modified date:

2009-07-10

Translate my page

Machine Translation

Content navigation