Security Exposure for WAS: impact on TSAM, ISDM, CB and TPM

WSAS Development has been made aware of a potential security exposure, which may impact bundlers of the WebSphere Application Server product. This is to notify you and your teams of this issue.

Detailed information have been posted under the following news FLASH:

- TITLE: Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181)
- URL: http://www-01.ibm.com/support/docview.wss?uid=swg21587536
- ABSTRACT: There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
Versions affected:
WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

TPM/TSAM/ISDM/CB Impact.
The following product releases are affected: Tivoli Service Automation Manager releases 7.2.0 - 7.2.1 - 7.2.2, ISDM releases 7.2.1 - 7.2.2, CloudBurst releases 1.2.0 - 2.1.0 – 2.1.1, Tivoli Provisioning Manager releases 5.1.1 - 7.1.1 - 7.2 - 7.2.1

Workaround: Install the WebSphere Application server interim fix for your installed WebSphere Application Server version.

Status:
- WebSphere Application Server Interim fix/Fix Pack is available - refer to http://www-01.ibm.com/support/docview.wss?uid=swg21587536

- for TPM:
- TPM 7.2.1 install WAS 6.1.0.43
- For the remaining TPM versions (5.1.1, 7.1.1 and 7.2) the interim fix APAR will be certified by August 17th

- for TSAM/ISDM/CB upgrade the bundled websphere runtime to 6.1.0.43 or higher.

If you need help or additional information contact IBM Support.