IBM Support

PI23430;8.5.5.3: Security Integrity fix for OpenID and OpenID connect

Download


Abstract

Security Integrity fix for OpenID and OpenID connect

Download Description

PI23430 resolves the following problem:

ERROR DESCRIPTION:
Security Integrity fix for OpenID and OpenID connect.

LOCAL FIX:

PROBLEM SUMMARY:
CVE-2014-6164 WebSphere Application Server could allow a remote attacker to spoof OpenID and OpenID connect cookies. A remote attacker could create a specially-crafted URL, which once clicked by the victim, could provide the attacker with sensitive information.

PROBLEM CONCLUSION:
The OpenID and OpenID connect Trust Association Interceptors (TAIs) are updated to resolve this Security Integrity issue.

The following property is added to both TAIs:

httpOnly: the values for this property are true and false. The default value is true. When this property is set to true, the httpOnly flag will be set on the cookie.

The following property is updated for the OpenID Relying Party TAI:

httpsRequired: the values for this property are true and false. The default value is true. When this property is set to true, the OpenID Connect RP should only establish connection with an OP that supports https communication. If this property is set to true, but the scheme of the authorizeEndpoint, tokenEndpoint or introspectEndpoint is http, then the TAI will fail to initialize.

This APAR applies to the new OpenID and OpenID connect features that were added in fixpack 8.5.5.3. There will be no fixes available for this APAR prior to fixpack 8.5.5.3.

Keywords: IBMWL3WSS, OPENID20, OIDC, INTERIMFIX

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"3531","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI23430/8.5.5.3/readme.txt"}]
On
[{"DNLabel":"8.5.5.3-WS-WASProd-IFPI23430","DNDate":"23 Jan 2015","DNLang":"US English","DNSize":"296187","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.3-WS-WASProd-IFPI23430&productid=WebSphere Application Server&brandid=5","DNURL_FTP":"ftp://download4.boulder.ibm.com/ecc/sar/CMA/WSA/051yj/0/8.5.5.3-ws-wasprod-ifpi23430.zip","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5.3","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24039244