Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627)

Flash (Alert)


Abstract

Possible security exposure with XML digital signature

Content

Versions Affected:

IBM WebSphere Application Server Versions 6.0 through 6.0.2.33 (6.0.2.34 for z/OS), 6.1 through 6.1.0.23 (6.1.0.24 for z/OS), and 7.0 through 7.0.0.1. All platforms are affected.
This security exposure does not occur on Versions 5.1 or later, 6.0.2.35 or later, 6.1.0.25 or later, or 7.0.0.3 or later.

Usage Scenarios Affected:

  • WS-Security enabled JAX-RPC and JAX-WS web services which employ the shared key digital signature HMAC-SHA1 algorithm are affected by this problem.
  • Users who use secure conversation and Kerberos message protection are affected by this problem.
  • Users who use asymmetric key digital signature such as X.509 message protection are not affected by this problem.

Proble m Description:
The WebSphere Application Server may accept web services messages that do not follow XML digital signature best practices if those messages otherwise satisfy quality of service policy requirements. The exposure to exploitation by third parties is reduced if messages are encrypted during transmission either at the message level or at the transport level.

Solutions:
Applying Interim Fix APAR PK80596 or PK80627 (as specified below), or a Fix Pack containing the APAR (as specified below), resolves this issue.
  • Applying this Interim Fix APAR will not affect interoperability between IBM WebSphere Application Servers regardless of whether one or both WebSphere Application Servers have applied the fix.
  • Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

For WebSphere Application Server Version 6.1 Feature Pack for Web Services:
    For V6.1 through 6.1.0.23:

For IBM WebSphere Applicati on Server for Distributed:
    For V7.0 through 7.0.0.1:
    For V6.1 through 6.1.0.23:
    For V6.0 through 6.0.2.33:


For IBM WebSphere Application Server for i5/OS:

For IBM WebSphere Application Server for z/OS:
    For V7.0 through 7.0.0.1:
    • Apply APAR PK80596 from PTFs for 7.0.0.3 or later.

    For V6.1 through 6.1.0.24:
    • Apply APAR PK80596 from PTFs for 6.1.0.25 or later.

    For V6.0 through 6.0.2.34:
    • Apply APAR PK80596 from PTFs for 6.0.2.35 or later.
For WebSphere Application Server Version 6.1 Feature Pack for Web Services on z/OS:
    For V6.1 through 6.1.0.24:
    • Apply APAR PK80627 from PTFs for 6.1.0.25 or later.


Additional documentation:
For additional details and information on WebSphere Application Server product updates:

Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS General OS/390, Solaris, z/OS 7.0, 6.1, 6.0
Application Servers WebSphere Application Server for z/OS z/OS 7.0, 6.1, 6.0

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
General

Software version:

6.0, 6.1, 7.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

Base, Developer, Enterprise, Express, Network Deployment

Reference #:

1384925

Modified date:

2009-07-22

Translate my page

Machine Translation

Content navigation