Skip to main content

Software  >  WebSphere  >  

Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627)

 Flash (Alert)
 
Abstract
Possible security exposure with XML digital signature
 
Content
Versions Affected:
IBM WebSphere Application Server Versions 6.0 through 6.0.2.33 (6.0.2.34 for z/OS), 6.1 through 6.1.0.23 (6.1.0.24 for z/OS), and 7.0 through 7.0.0.1. All platforms are affected.
This security exposure does not occur on Versions 5.1 or later, 6.0.2.35 or later, 6.1.0.25 or later, or 7.0.0.3 or later.

Usage Scenarios Affected:
  • WS-Security enabled JAX-RPC and JAX-WS web services which employ the shared key digital signature HMAC-SHA1 algorithm are affected by this problem.
  • Users who use secure conversation and Kerberos message protection are affected by this problem.
  • Users who use asymmetric key digital signature such as X.509 message protection are not affected by this problem.

Problem Description:
The WebSphere Application Server may accept web services messages that do not follow XML digital signature best practices if those messages otherwise satisfy quality of service policy requirements. The exposure to exploitation by third parties is reduced if messages are encrypted during transmission either at the message level or at the transport level.

Solutions:
Applying Interim Fix APAR PK80596 or PK80627 (as specified below), or a Fix Pack containing the APAR (as specified below), resolves this issue.
  • Applying this Interim Fix APAR will not affect interoperability between IBM WebSphere Application Servers regardless of whether one or both WebSphere Application Servers have applied the fix.
  • Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

For WebSphere Application Server Version 6.1 Feature Pack for Web Services:
    For V6.1 through 6.1.0.23:

For IBM WebSphere Application Server for Distributed:
    For V7.0 through 7.0.0.1:
    For V6.1 through 6.1.0.23:
    For V6.0 through 6.0.2.33:


For IBM WebSphere Application Server for i5/OS:

For IBM WebSphere Application Server for z/OS:
    For V7.0 through 7.0.0.1:
    • Apply APAR PK80596 from PTFs for 7.0.0.3 or later.

    For V6.1 through 6.1.0.24:
    • Apply APAR PK80596 from PTFs for 6.1.0.25 or later.

    For V6.0 through 6.0.2.34:
    • Apply APAR PK80596 from PTFs for 6.0.2.35 or later.
For WebSphere Application Server Version 6.1 Feature Pack for Web Services on z/OS:
    For V6.1 through 6.1.0.24:
    • Apply APAR PK80627 from PTFs for 6.1.0.25 or later.


Additional documentation:
For additional details and information on WebSphere Application Server product updates:
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application ServersWebSphere Application Server for z/OSGeneralOS/390, Solaris, z/OS7.0, 6.1, 6.0
Application ServersWebSphere Application Server for z/OS z/OS7.0, 6.1, 6.0
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Application Servers
 Distributed Application & Web Servers
 WebSphere Application Server for z/OS
 General
 Operating system(s):
  AIX, HP-UX, IBM i, Linux, Solaris, Windows
 Software version:
  6.0, 6.1, 7.0
 Software edition:
  Base, Developer, Enterprise, Express, Network Deployment
 Reference #:
  1384925
 IBM Group:
 Software Group
 Modified date:
 2009-07-22

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.