IBM Support

Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181).

Flashes (Alerts)


Abstract

There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.

Content

There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.

WebSphere versions affected:

  • WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
  • WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

WebSphere versions not impacted:

For JAX-WS Runtime:

  • WebSphere Application Server Versions 8.0.0.2 and later, and 7.0.0.21 and later.
  • WebShere Application Server Feature Pack for Web Services Versions 6.1.0.41 and later,
  • For JAX-RPC Runtime:
  • WebSphere Application Server Versions 8.0.0.3 and later, 7.0.0.23 and later, and 6.1.0.43 and later,

For a full description, affected product releases, and APARs/fixes, please see the complete published Security Exposure (ESAR) Flash for PM43585, PM43792, and PM45181 at:


http://www-01.ibm.com/support/docview.wss?uid=swg21587536

[{"Product":{"code":"SSNGTE","label":"Tivoli Security Policy Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 September 2022

UID

swg21605397