Security Exposure for WAS: impact on TSAM, ISDM, CB and TPM

Flash (Alert)


Tivoli Service Automation Manager, Integrated Service Delivery Manager, CloudBurst, Tivoli Provisioning Manager: Potential security exposure for WAS (PM43585/PM43792/PM45181)


WSAS Development has been made aware of a potential security exposure, which may impact bundlers of the WebSphere Application Server product. This is to notify you and your teams of this issue.
Detailed information have been posted under the following news FLASH:

- TITLE: Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181)
- URL:
- ABSTRACT: There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
Versions affected:
WebSphere Application Server, all platforms, Versions 8.0 through, 7.0 through, and 6.1 through, 6.0.2 through
WebSphere Application Server Feature Pack for Web Services Versions through

The following product releases are affected: Tivoli Service Automation Manager releases 7.2.0 - 7.2.1 - 7.2.2, ISDM releases 7.2.1 - 7.2.2, CloudBurst releases 1.2.0 - 2.1.0 – 2.1.1, Tivoli Provisioning Manager releases 5.1.1 - 7.1.1 - 7.2 - 7.2.1

Workaround: Install the WebSphere Application server interim fix for your installed WebSphere Application Server version.

- WebSphere Application Server Interim fix/Fix Pack is available - refer to

- for TPM:
- TPM 7.2.1 install WAS
- For the remaining TPM versions (5.1.1, 7.1.1 and 7.2) the interim fix APAR will be certified by August 17th

- for TSAM/ISDM/CB upgrade the bundled websphere runtime to or higher.

If you need help or additional information contact IBM Support.

Document information

More support for:

Tivoli Service Automation Manager

Software version:

7.2, 7.2.1, 7.2.2,,, 7.2.4

Operating system(s):

AIX, Linux

Reference #:


Modified date:


Translate my page

Content navigation