Potential security exposure with the JAX-WS WS-Security run time and the Timestamp element (PM16014 and PM08360)

Flash (Alert)


Abstract

When the Java® API for XML Web Services (JAX-WS) run time and the WS-Security policy specifies a Timestamp element, there is a potential risk of a security exposure. Java APIs for XML-Based Remote Procedure Call (JAX-RPC) is not impacted.

Content

Versions affected:

IBM WebSphere Application Server Versions 7.0 through 7.0.0.11, and IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32

    • All IBM WebSphere Application Server versions earlier than the previously stated versions, and Versions 7.0.0.13 or later, are not affected. However, the Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32 are affected (as noted previously).
    • All Feature Pack for Web Services Versions 6.1.0.33 or later are not affected.

Problem description:
When using a WS-Security enabled JAX-WS web service application, if the WS-Security policy specifies 'IncludeTimestamp', there is a potential risk of security exposure.

WS-Security enabled JAX-RPC web service applications are not impacted.

Solutions:
After you apply a fix pack or an interim fix that contains this APAR, the WS-Security run time might reject SOAP messages with an error that is related to the Timestamp element. If this problem occurs, ensure that the WS-Security policy for both the consumer and the provider match.

For more information about the use of the Timestamp element in WebSphere Application Server WS-Security and the precautions you must take, refer to the following WebSphere Application Server Information Center document on the Timestamp element.

For IBM WebSphere Application Server for distributed operating systems:
    For V7.0 through 7.0.0.11:
    • Apply Fix Pack 11 (7.0.0.11), if your environment is not already at this level
    • Apply Interim Fix APAR PM16014
    --OR--
    • Install Fix Pack 13 (7.0.0.13), or later (targeted to be available October 2010).

For IBM WebSphere Application Server for IBM i operating systems:
    For V7.0 through 7.0.0.11: --OR--

For IBM WebSphere Application Server for z/OS operating systems:
    For V7.0 throu gh 7.0.0.12:
    • Apply APAR PM16014 by way of the appropriate PTFs for 7.0.0.13, or later (targeted to be available November 2010).

For IBM WebSphere Application Server Feature Pack for Web Services:
    For V6.1.0.9 through 6.1.0.31:
    • Apply Fix Pack 29 (6.1.0.29) or Fix Pack 31 (6.1.0.31), or later, if your environment is not already at this level, then
    • Apply Interim Fix APAR PM08360
    --OR--
    • Install Fix Pack 33 (6.1.0.33), or later (targeted to be available September 2010).

Additional documentation:
For additional details and information on WebSphere Application Server product updates, see the following URLs:

Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS Web Services(for example: SOAP or UDDI or WSGW/WSIF) z/OS, OS/390 7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.1, 7.0

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Web Services (for example: SOAP or UDDI or WSGW or WSIF)

Software version:

6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.14, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31, 7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9, 7.0.0.11

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS

Software edition:

Base, Developer, Express, Feature Pack for Web Services, Network Deployment

Reference #:

1443736

Modified date:

2010-08-26

Translate my page

Machine Translation

Content navigation