Potential security exposure with WebSphere Application Server with "Requires SSL" option of single sign-on (PM00610)

Flash (Alert)


Abstract

"Requires SSL" option of single sign-on does not function properly.

Content

Versions Affected:
IBM WebSphere Application Server Versions 7.0.0.0 through 7.0.0.8.
This does not fail on all earlier versions, releases, and fix packs, nor does it affect releases 7.0.0.9 or later.

Problem Description:

Due to a change in how the configuration data is processed, the “Requires SSL” option for Single Sign-on (SSO) is not detected and not honored as expected. In the WebSphere Application Server Administration Console under Global Security > Web and SIP Security > Single Sign-on (SSO), if "requires SSL" is checked, then this fix will be required in order for this option to be in effect.

CVE Reference:   CVE-2010-0563

Solutions:

Applying Interim Fix APAR PM00610, or a Fix Pack containing PM00610, resolves this issue.

For IBM WebSphere Application Server for Distributed:

    For V7.0 through V7.0.0.7:
      • Apply Fix Pack 1 (v7.0.0.1 or later), if not already at that level, then
      • Apply Interim Fix APAR PM00610
      --OR--
      • Apply Fix Pack 9, or later (7.0.0.9) (projected availability of April 2010).

For IBM WebSphere Application Server for i5/OS:
    For V7.0 through 7.0.0.7:
      • Apply Fix Pack 1 (v7.0.0.1 or later), if not already at that level, then
      • Apply Interim fix APAR PM00610
      --OR--

For IBM WebSphere Application Server for z/OS:
    For V7.0 through 7.0.0.8:
      • Apply APAR PM00610 from PTFs for 7.0.0.9 or later (projected availability for April 2010).

Additional documentation:
For additional details and information on WebSphere Application Server product updates:
For Distributed, see Recommended fixes for Websphere Application Server.
For i5/OS, see WebSphere Application Server for i5/OS.
For z/OS, see APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Security z/OS 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.1, 7.0

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Security

Software version:

7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS

Software edition:

Developer, Express, Network Deployment

Reference #:

1417839

Modified date:

2010-02-05

Translate my page

Machine Translation

Content navigation