Fix Available: Security vulnerability in WebSphere Application Server might affect Portal, WCM or Quickr customers

Technote (FAQ)


Question

Administrators of IBM WebSphere Portal, Workplace Web Content Management, Lotus Web Content Management or Lotus Quickr for WebSphere Portal should verify the underlying fix pack service release level of the Application Server in their environment for this important security issue.

Answer

Issue:
JAX-RPC WS-Security might improperly validate UsernameTokens (PK75992)

Versions affected:
IBM WebSphere Application Server Versions 6.0.2.25 through 6.0.2.31, 6.1.0.15 through 6.1.0.21 (6.1.0.22 for z/OS), and 7.0.0.0 through 7.0.0.1.
This security exposure does not occur on versions 5.1, 6.0.2 through 6.0.2.24, 6.0.2.33 or later, 6.1 through 6.1.0.14, 6.1.0.23 or later, and 7.0.0.3 or later.
Numerous releases of IBM WebSphere Portal, Workplace Web Content Management, Lotus Web Content Management or Lotus Quickr services for WebSphere Portal, as well as other products running on WebSphere Application Server. could be affected and should follow the appropriate recommendations to avoid problems.

Problem Description:
When using WS-Security for JAX-RPC applications, the WS-Security runtime has a potential security exposure and may incorrectly validate a UsernameToken. This problem does not exist when WebSphere web services clients are used. This could allow an attacker unauthorized authentication access.

For more information:
Refer to "Security Exposure: WebSphere Application Server with JAX-RPC WS-Security may improperly validate UsernameTokens (PK75992)" (#1367223) provided by the WebSphere Application Server support team.


Related information

WebSphere Application Server Flash


    Cross reference information
    Segment Product Component Platform Version Edition
    Enterprise Content Management Workplace Web Content Management Security & User Management AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 6.0, 5.1.0 Java edition
    Enterprise Content Management IBM Web Content Manager Security & User Management AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 6.1 Java edition
    Organizational Productivity- Portals & Collaboration WebSphere Portal End of Support Products WebSphere Application Server Integration AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS 5.1 Enable, Experience, Extend
    Organizational Productivity- Portals & Collaboration Lotus Quickr for WebSphere Portal WebSphere Application Server Integration Linux, Windows 8.1 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Portal
WebSphere Application Server Integration

Software version:

6.0, 6.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:

Enable, Express, Extend, Server

Reference #:

1393631

Modified date:

2009-07-13

Translate my page

Machine Translation

Content navigation