Tivoli Service Automation Manager, Integrated Service Delivery Manager, CloudBurst, Tivoli Provisioning Manager: Potential security exposure for WAS (PM43585/PM43792/PM45181)
WSAS Development has been made aware of a potential security exposure, which may impact bundlers of the WebSphere Application Server product. This is to notify you and your teams of this issue.
Detailed information have been posted under the following news FLASH:
- TITLE: Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181)
- URL: http://www-01.ibm.com/support/docview.wss?uid=swg21587536
- ABSTRACT: There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
WebSphere Application Server, all platforms, Versions 8.0 through 188.8.131.52, 7.0 through 184.108.40.206, and 6.1 through 220.127.116.11, 6.0.2 through 18.104.22.168.
WebSphere Application Server Feature Pack for Web Services Versions 22.214.171.124 through 126.96.36.199.
The following product releases are affected: Tivoli Service Automation Manager releases 7.2.0 - 7.2.1 - 7.2.2, ISDM releases 7.2.1 - 7.2.2, CloudBurst releases 1.2.0 - 2.1.0 – 2.1.1, Tivoli Provisioning Manager releases 5.1.1 - 7.1.1 - 7.2 - 7.2.1
Workaround: Install the WebSphere Application server interim fix for your installed WebSphere Application Server version.
- WebSphere Application Server Interim fix/Fix Pack is available - refer to http://www-01.ibm.com/support/docview.wss?uid=swg21587536
- for TPM:
- TPM 7.2.1 install WAS 188.8.131.52
- For the remaining TPM versions (5.1.1, 7.1.1 and 7.2) the interim fix APAR will be certified by August 17th
- for TSAM/ISDM/CB upgrade the bundled websphere runtime to 184.108.40.206 or higher.
If you need help or additional information contact IBM Support.