Potential security exposure with IBM WebSphere Application Server with JAX-WS or JAX-RS (PM14844, PM14847, PM14765)

Flash (Alert)


Abstract

Potential risk when using Web Services on WebSphere Application Server

Content

Versions affected:

IBM WebSphere Application Server Versions 7.0 through 7.0.0.12, Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32, and Feature Pack for Web 2.0 Version 1.0.1.0 are affected.

IBM WebSphere Application Server Versions 6.1, and earlier releases, are not affected. However, note that the Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32 are affected.

Problem description:
The web services run-time might allow an attacker to cause a denial of service or remotely read arbitrary files on the file system where the run-time is installed. This vulnerability might potentially be exploited on any installation that receives XML messages from untrusted sources. This vulnerability was originally reported by the Apache community's Axis2 project in security advisory CVE-2010-1632.

Solutions:

For IBM WebSphere Application Server for Distributed Platforms:

    For V7.0 through 7.0.0.11:
    • Apply Fix Pack 3 (7.0.0.3), or later, if not already at this level, then
    • Apply Interim Fix APAR PM14844
      --OR--
    • Install Fix Pack 13 (7.0.0.13), or later (targeted to be available October 2010).

For IBM WebSphere Application Server for i5/OS Platforms:
    For V7.0 through 7.0.0.11:
    • Apply Fix Pack 3 (7.0.0.3), or later, if not already at this level, then
    • Apply Interim Fix APAR PM14844
      --OR--
    • Apply the WebSphere Application Server PTF group which includes Fix Pack 13 (7.0.0.13), or later, (targeted to be available October 2010), according to the PTF group instructions.

For IBM WebSphere Application Server for z/OS Platforms:

    For V7.0 through 7.0.0.12:
    • Apply APAR PM14844 by way of the appropriate PTFs for 7.0.0.13 or later (targeted to be available November 2010).

For IBM WebSphere Application Server Feature Pack for Web Services:
    For V6.1.0.9 through 6.1.0.32:
    • Apply Fix Pack 27 (6.1.0.27), or later, if not already at this level, then
    • Apply Interim Fix APAR PM14847
      --OR--
    • Install Fix Pack 33 (6.1.0.33), or later.

For IBM WebSphere Application Server Feature Pack for Web 2.0:
    For Version 1.0.1.0:
    • Apply Interim Fix APAR PM14765
      --OR--
    • Install Web 2.0 Feature Pack Fix Pack 1 (1.0.1.1), or later (targeted to be available November 2010).


Additional documentation:
For additional details and information on WebSphere Application Server product updates:

Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Web Services(for example: SOAP or UDDI or WSGW/WSIF) z/OS, OS/390 7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.1, 7.0 Feature Pack for Web 2.0, Feature Pack for Web Services
Application Servers WebSphere Application Server Hypervisor Edition Web Services(for example: SOAP or UDDI or WSGW/WSIF) AIX, Linux 7.0 All Editions

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Web Services (for example: SOAP or UDDI or WSGW or WSIF)

Software version:

6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.14, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31, 7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9, 7.0.0.11

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS

Software edition:

Base, Express, Feature Pack for Web 2.0, Feature Pack for Web Services, Network Deployment

Reference #:

1433581

Modified date:

2010-06-18

Translate my page

Machine Translation

Content navigation