IBM Support

Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627)

Flashes (Alerts)


Abstract

Possible security exposure with XML digital signature

Content

Versions Affected:
IBM WebSphere Application Server Versions 6.0 through 6.0.2.33 (6.0.2.34 for z/OS), 6.1 through 6.1.0.23 (6.1.0.24 for z/OS), and 7.0 through 7.0.0.1. All platforms are affected.
This security exposure does not occur on Versions 5.1 or later, 6.0.2.35 or later, 6.1.0.25 or later, or 7.0.0.3 or later.

Usage Scenarios Affected:

  • WS-Security enabled JAX-RPC and JAX-WS web services which employ the shared key digital signature HMAC-SHA1 algorithm are affected by this problem.
  • Users who use secure conversation and Kerberos message protection are affected by this problem.
  • Users who use asymmetric key digital signature such as X.509 message protection are not affected by this problem.

Problem Description:
The WebSphere Application Server may accept web services messages that do not follow XML digital signature best practices if those messages otherwise satisfy quality of service policy requirements. The exposure to exploitation by third parties is reduced if messages are encrypted during transmission either at the message level or at the transport level.

Solutions:
Applying Interim Fix APAR PK80596 or PK80627 (as specified below), or a Fix Pack containing the APAR (as specified below), resolves this issue.
  • Applying this Interim Fix APAR will not affect interoperability between IBM WebSphere Application Servers regardless of whether one or both WebSphere Application Servers have applied the fix.
  • Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

For WebSphere Application Server Version 6.1 Feature Pack for Web Services:
    For V6.1 through 6.1.0.23:

For IBM WebSphere Application Server for Distributed:
    For V7.0 through 7.0.0.1:
    For V6.1 through 6.1.0.23:
    For V6.0 through 6.0.2.33:


For IBM WebSphere Application Server for i5/OS:

For IBM WebSphere Application Server for z/OS:
    For V7.0 through 7.0.0.1:
    • Apply APAR PK80596 from PTFs for 7.0.0.3 or later.

    For V6.1 through 6.1.0.24:
    • Apply APAR PK80596 from PTFs for 6.1.0.25 or later.

    For V6.0 through 6.0.2.34:
    • Apply APAR PK80596 from PTFs for 6.0.2.35 or later.
For WebSphere Application Server Version 6.1 Feature Pack for Web Services on z/OS:
    For V6.1 through 6.1.0.24:
    • Apply APAR PK80627 from PTFs for 6.1.0.25 or later.


Additional documentation:
For additional details and information on WebSphere Application Server product updates:

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;6.1;6.0","Edition":"Base;Developer;Enterprise;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"","label":"OS\/390"},{"code":"PF027","label":"Solaris"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0;6.1;6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21384925