Tivoli Service Automation Manager, Integrated Service Delivery Manager, CloudBurst, Tivoli Provisioning Manager: Potential security exposure for WAS (PM43585/PM43792/PM45181)
WSAS Development has been made aware of a potential security exposure, which may impact bundlers of the WebSphere Application Server product. This is to notify you and your teams of this issue.
Detailed information have been posted under the following news FLASH:
- TITLE: Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181)
- URL: http://www-01.ibm.com/support/docview.wss?uid=swg21587536
- ABSTRACT: There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
WebSphere Application Server, all platforms, Versions 8.0 through 126.96.36.199, 7.0 through 188.8.131.52, and 6.1 through 184.108.40.206, 6.0.2 through 220.127.116.11.
WebSphere Application Server Feature Pack for Web Services Versions 18.104.22.168 through 22.214.171.124.
The following product releases are affected: Tivoli Service Automation Manager releases 7.2.0 - 7.2.1 - 7.2.2, ISDM releases 7.2.1 - 7.2.2, CloudBurst releases 1.2.0 - 2.1.0 – 2.1.1, Tivoli Provisioning Manager releases 5.1.1 - 7.1.1 - 7.2 - 7.2.1
Workaround: Install the WebSphere Application server interim fix for your installed WebSphere Application Server version.
- WebSphere Application Server Interim fix/Fix Pack is available - refer to http://www-01.ibm.com/support/docview.wss?uid=swg21587536
- for TPM:
- TPM 7.2.1 install WAS 126.96.36.199
- For the remaining TPM versions (5.1.1, 7.1.1 and 7.2) the interim fix APAR will be certified by August 17th
- for TSAM/ISDM/CB upgrade the bundled websphere runtime to 188.8.131.52 or higher.
If you need help or additional information contact IBM Support.