PM14847; 6.1.0.29: There is a security exposure related to JAX-WS web services.

Download

Abstract

There is a security exposure related to JAX-WS web services.

Download Description

PM14847 resolves the following problem:

ERROR DESCRIPTION:?
There is a security exposure related to JAX-WS web services.

The exposure can cause data tampering, denial of service and possible exposure of server file contents.

A malicious client may use DTD (Document Type Definitions) to attack the JAX-WS Web service.

LOCAL FIX:

PROBLEM SUMMARY:

USERS AFFECTED:
IBM WebSphere Application Server Feature Pack for Web Services users of JAX-WS

PROBLEM DESCRIPTION:
There is a security exposure related to JAX-WS web services.

RECOMMENDATION:
Install a fixpack containing this APAR

There is a security exposure related to JAX-WS web services.

The exposure can cause data tampering, denial of service and possible exposure of server file contents.

A malicious client may use DTD (Document Type Definitions) to attack the JAX-WS Web service.

The exposure is greater if the endpoint hosts XML/HTTP (i.e. not SOAP) Web services.

PROBLEM CONCLUSION:
The JAX-WS web service runtime is changed to disable the processing of DTD's contained within incoming messages.

The fix for this APAR is currently targeted for inclusion in
fix pack 6.1.0.33. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"7930","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM14847/readme.txt"}]

          [{"DNLabel":"6.1.0.27-WS-WASWebSvc-IFPM14847","DNDate":"6/7/2010","DNLang":"US English","DNSize":"101067","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.27-WS-WASWebSvc-IFPM14847&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM14847/6.1.0.27-WS-WASWebSvc-IFPM14847.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM14847/6.1.0.27-WS-WASWebSvc-IFPM14847.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services (for example: SOAP or UDDI or WSGW or WSIF)","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0.2.31;6.1.0.27;6.1.0.29","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PM09337;PM14847

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24027019

Tips