Possible security exposure with Information Services Director and WS-Security enabled services

Information Services Director utilizes JAX-RPC for implementing applications within WebSphere Application Server. Information Services Director applications using the SOAP over HTTP or SOAP over JMS bindings, and with WS-Security enabled, could be potentially affected by this issue.

More detailed information regarding this security issue is available in technote 1587536 for WebSphere Application Server (WAS), located in the related information section below.

To obtain the fix:



Step 1. Determine your WebSphere Application Server Version

The first few lines in the SystemOut.log file will tell you the exact version of WebSphere Application Server (WAS) that is being used, as show in the sample given here:

************ Start Display Current Environment ************
WebSphere Platform 6.0 [BASE 6.0.2.11 cf110623.10]  running with process name coutureNode01Cell\coutureNode01\server1 and process id 16195

In this sample above, the exact version is 6.0.2.11. The location of this file will vary based on the platform and choice of installation directory by the user. The default value will usually be something similar to:

/opt/IBM/WebSphere/AppServer/profiles/default/logs/server1/



Step 2. Locate the version in the WAS Technote 1587536 and then choose a fix method

You can either install the individual JAX-RPC fixes which are identified in the technote, or alternatively you can install the necessary WebSphere Application Server fixpack which contains the fix.