Flash (Alert)
Abstract
If you are running Websphere Multichannel Bank Transformation Toolkit on WebSphere Application Server, there is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
Content
CVE ID: CVE-2011-1377
Versions affected:
- WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
- WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.
Versions not impacted:
- For JAX-WS Runtime:
- WebSphere Application Server Versions 8.0.0.2 and later, and 7.0.0.21 and later.
- WebShere Application Server Feature Pack for Web Services Versions 6.1.0.41 and later,
- For JAX-RPC Runtime:
- WebSphere Application Server Versions 8.0.0.3 and later, 7.0.0.23 and later, and 6.1.0.43 and later,
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/71319 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Problem Description: WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC
Solution:
- For the JAX-WS runtime, apply both PM43585 and PM43792, or a Fix Pack containing these APAR fixes, as noted below.
- For JAX-RPC runtime, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
- For WebSphere Application Server Versions 7 and 8, apply both PM43585 and PM45181, or a Fix Pack containing both of these APAR fixes, as noted below.
- For WebSphere Application Server Version 6.1, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
- For WebSphere Application Server Feature Pack for Web Services Version 6.1, apply PM43792, or a Fix Pack containing this APAR as noted below.
For IBM WebSphere Application Server for distributed operating systems:
For Version 8.0.0.2:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 3 (8.0.0.3), or later.
For Versions 8.0 to 8.0.0.1: -OR-
- Apply Fix Pack 3 (8.0.0.3), or later.
For Version 7.0.0.21:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 23 (7.0.0.23), or later.
For Versions 7.0 through 7.0.0.19: -OR-
- Apply Fix Pack 23 (7.0.0.23), or later.
For Versions 6.1 through 6.1.0.41:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 43 (6.1.0.43), or later.
- Apply Interim Fix APAR PM45181
- Version 6.0.x is no longer in service (ended 29 September 2010).
- The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For Version 8.0.0.2:
- Apply Interim Fix APAR PM45181
- Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.
- Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.
For Version 7.0.0.21:
- Apply Interim Fix APAR PM45181
- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.
For Versions 7.0 through 7.0.0.19: -OR-
- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.
For Versions 6.1 through 6.1.0.41:
- Apply Interim Fix APAR PM45181
- Apply the WebSphere Application Server PTF group which includes Fix Pack 43, or later, according to the PTF group instructions.
For Versions 6.0.2 through 6.0.2.43:
- Apply Interim Fix APAR PM45181
- Version 6.0.x is no longer in service (ended 29 September 2010).
- The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For WebSphere Application Server for z/OS operating systems:
For Version 8.0.0.2:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 3 (8.0.0.3), or later.
- Apply Fix Pack 3 (8.0.0.3), or later.
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
- Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM45181 and PM43585
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
- Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
For Versions 6.1 through 6.1.0.41:
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
- Apply Fix Pack 6.1.0.43, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
- V6.0 is no longer in service (ended 30 September 2010).
- Additional assistance will be only be provided with a valid support extension for this version.
For 6.1.0.9 through 6.1.0.39:
- Apply Interim Fix APAR PM43792
-OR- - Apply Fix Pack 43 (6.1.0.43), or later.
For 6.1.0.9 through 6.1.0.39:
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM43792
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
- Apply Fix Pack 43 (6.1.0.43), or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
For additional details and information on WebSphere Application Server product updates:
- For Distributed, see Recommended fixes for WebSphere Application Server.
- For i5/OS, see WebSphere Application Server for i5/OS.
- For z/OS, see APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
REFERENCES:
- Complete CVSS Guide (link to http://www.first.org/cvss/cvss-guide.html)
- On-line Calculator V2 (link to http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Related information
Possible security exposure with WebSphere Application S
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.