Flash (Alert)
Abstract
When the Java® API for XML Web Services (JAX-WS) run time and the WS-Security policy specifies a Timestamp element, there is a potential risk of a security exposure. Java APIs for XML-Based Remote Procedure Call (JAX-RPC) is not impacted.
Content
Versions affected:
IBM WebSphere Application Server Versions 7.0 through 7.0.0.11, and IBM WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32
- All IBM WebSphere Application Server versions earlier than the previously stated versions, and Versions 7.0.0.13 or later, are not affected. However, the Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32 are affected (as noted previously).
- All Feature Pack for Web Services Versions 6.1.0.33 or later are not affected.
Problem description:
When using a WS-Security enabled JAX-WS web service application, if the WS-Security policy specifies 'IncludeTimestamp', there is a potential risk of security exposure.
WS-Security enabled JAX-RPC web service applications are not impacted.
Solutions:
After you apply a fix pack or an interim fix that contains this APAR, the WS-Security run time might reject SOAP messages with an error that is related to the Timestamp element. If this problem occurs, ensure that the WS-Security policy for both the consumer and the provider match.
For more information about the use of the Timestamp element in WebSphere Application Server WS-Security and the precautions you must take, refer to the following WebSphere Application Server Information Center document on the Timestamp element.
For IBM WebSphere Application Server for distributed operating systems:
-
For V7.0 through 7.0.0.11:
- Apply Fix Pack 11 (7.0.0.11), if your environment is not already at this level
- Apply Interim Fix APAR PM16014
- Install Fix Pack 13 (7.0.0.13), or later (targeted to be available October 2010).
For IBM WebSphere Application Server for IBM i operating systems:
-
For V7.0 through 7.0.0.11:
- Apply the WebSphere Application Server PTF group which includes Fix Pack 11 (7.0.0.11), if your environment is not already at this level, according to the PTF group instructions, then
- Apply Interim Fix APAR PM16014
- Apply the WebSphere Application Server PTF group which includes Fix Pack 13 (7.0.0.13), or later, (targeted to be available October 2010), according to the PTF group instructions.
For IBM WebSphere Application Server for z/OS operating systems:
-
For V7.0 throu
gh
7.0.0.12:
For IBM WebSphere Application Server Feature Pack for Web Services:
-
For V6.1.0.9 through 6.1.0.31:
- Apply Fix Pack 29 (6.1.0.29) or Fix Pack 31 (6.1.0.31), or later, if your environment is not already at this level, then
- Apply Interim Fix APAR PM08360
- Install Fix Pack 33 (6.1.0.33), or later (targeted to be available September 2010).
Additional documentation:
For additional details and information on WebSphere Application Server product updates, see the following URLs:
- For Distributed operating systems, see Recommended fixes for WebSphere Application Server.
- For IBM i operating systems, see WebSphere Application Server for IBM i.
- For z/OS operating systems, see WebSphere Application Server for z/OS
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Application Servers | WebSphere Application Server for z/OS | Web Services(for example: SOAP or UDDI or WSGW/WSIF) | z/OS, OS/390 | 7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.1, 7.0 |
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.