Flash (Alert)
Abstract
Potential risk when using Web Services on WebSphere Application Server
Content
Versions affected:
IBM WebSphere Application Server Versions 7.0 through 7.0.0.12, Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32, and Feature Pack for Web 2.0 Version 1.0.1.0 are affected.
IBM WebSphere Application Server Versions 6.1, and earlier releases, are not affected. However, note that the Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32 are affected.
Problem description:
The web services run-time might allow an attacker to cause a denial of service or remotely read arbitrary files on the file system where the run-time is installed. This vulnerability might potentially be exploited on any installation that receives XML messages from untrusted sources. This vulnerability was originally reported by the Apache community's Axis2 project in security advisory CVE-2010-1632.
Solutions:
For IBM WebSphere Application Server for Distributed Platforms:
-
For V7.0 through 7.0.0.11:
- Apply Fix Pack 3 (7.0.0.3), or later, if not already at this level, then
- Apply Interim Fix APAR PM14844
--OR-- - Install Fix Pack 13 (7.0.0.13), or later (targeted to be available October 2010).
For IBM WebSphere Application Server for i5/OS Platforms:
-
For V7.0 through 7.0.0.11:
- Apply Fix Pack 3 (7.0.0.3), or later, if not already at this level, then
- Apply Interim Fix APAR PM14844
--OR-- - Apply the WebSphere Application Server PTF group which includes Fix Pack 13 (7.0.0.13), or later, (targeted to be available October 2010), according to the PTF group instructions.
For IBM WebSphere Application Server for z/OS Platforms:
-
For V7.0 through 7.0.0.12:
For IBM WebSphere Application Server Feature Pack for Web Services:
-
For V6.1.0.9 through 6.1.0.32:
- Apply Fix Pack 27 (6.1.0.27), or later, if not already at this level, then
- Apply Interim Fix APAR PM14847
--OR-- - Install Fix Pack 33 (6.1.0.33), or later.
For IBM WebSphere Application Server Feature Pack for Web 2.0:
-
For Version 1.0.1.0:
- Apply Interim Fix APAR PM14765
--OR-- - Install Web 2.0 Feature Pack Fix Pack 1 (1.0.1.1), or later (targeted to be available November 2010).
Additional documentation:
For additional details and information on WebSphere Application Server product updates:
- For Distributed, see Recommended fixes for WebSphere Application Server.
- For i5/OS, see WebSphere Application Server for i5/OS.
- For z/OS, see WebSphere Application Server for z/OS
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Application Servers | WebSphere Application Server for z/OS | Web Services(for example: SOAP or UDDI or WSGW/WSIF) | z/OS, OS/390 | 7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.1, 7.0 | Feature Pack for Web 2.0, Feature Pack for Web Services |
| Application Servers | WebSphere Application Server Hypervisor Edition | Web Services(for example: SOAP or UDDI or WSGW/WSIF) | AIX, Linux | 7.0 | All Editions |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.