Potential security vulnerability with IBM WebSphere Application Server

Flash (Alert)


Abstract

If you are running Websphere Multichannel Bank Transformation Toolkit on WebSphere Application Server, there is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.

Content

CVE ID: CVE-2011-1377

Versions affected:

  • WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
  • WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

Versions not impacted:
  • For JAX-WS Runtime:
  • WebSphere Application Server Versions 8.0.0.2 and later, and 7.0.0.21 and later.
  • WebShere Application Server Feature Pack for Web Services Versions 6.1.0.41 and later,
  • For JAX-RPC Runtime:
  • WebSphere Application Server Versions 8.0.0.3 and later, 7.0.0.23 and later, and 6.1.0.43 and later,
CVSS:
CVSS Base Score: 2.1
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/71319 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)


Problem Description:
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC

Solution:
  • For the JAX-WS runtime, apply both PM43585 and PM43792, or a Fix Pack containing these APAR fixes, as noted below.
  • For JAX-RPC runtime, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
  • For WebSphere Application Server Versions 7 and 8, apply both PM43585 and PM45181, or a Fix Pack containing both of these APAR fixes, as noted below.
  • For WebSphere Application Server Version 6.1, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
  • For WebSphere Application Server Feature Pack for Web Services Version 6.1, apply PM43792, or a Fix Pack containing this APAR as noted below.


For IBM WebSphere Application Server for distributed operating systems:


For Version 8.0.0.2:
-OR-
For Versions 8.0 to 8.0.0.1:
-OR-
For Version 7.0.0.21:
-OR-
For Versions 7.0 through 7.0.0.19:
-OR-
For Versions 6.1 through 6.1.0.41:
-OR- For Versions 6.0.2 through 6.0.2.43: Notes:
  • Version 6.0.x is no longer in service (ended 29 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For IBM WebSphere Application Server for IBM i operating systems:
For Version 8.0.0.2: -OR- For Versions 8.0 to 8.0.0.1: -OR-
For Version 7.0.0.21:
-OR-
For Versions 7.0 through 7.0.0.19:
-OR-
For Versions 6.1 through 6.1.0.41:
-OR-
For Versions 6.0.2 through 6.0.2.43:
Notes:
  • Version 6.0.x is no longer in service (ended 29 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.

For WebSphere Application Server for z/OS operating systems:

For Version 8.0.0.2: -OR-
  • Apply Fix Pack 3 (8.0.0.3), or later.
For Versions 8.0 to 8.0.0.1: -OR-
  • Apply Fix Pack 3 (8.0.0.3), or later.
For Version 7.0.0.21:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
--OR-- For Versions 7.0 through 7.0.0.19:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM45181 and PM43585
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
-OR-
For Versions 6.1 through 6.1.0.41:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
--OR-- For Versions 6.0.2 through 6.0.2.43:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
Notes:
  • V6.0 is no longer in service (ended 30 September 2010).
  • Additional assistance will be only be provided with a valid support extension for this version.
For WebSphere Application Server Feature Pack for Web Services for Distributed:
For 6.1.0.9 through 6.1.0.39:
  • Apply Interim Fix APAR PM43792
    -OR-
  • Apply Fix Pack 43 (6.1.0.43), or later.
For WebSphere Application Server Feature Pack for Web Services for z/OS:
For 6.1.0.9 through 6.1.0.39:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM43792
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
-OR-
For additional details and information on WebSphere Application Server product updates:
REFERENCES:
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

Possible security exposure with WebSphere Application S

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Multichannel Bank Transformation Toolkit

Software version:

6.1, 6.1.2, 7.0, 7.1, 8.0, 8.0.1

Operating system(s):

AIX, Linux, Linux on System z, Solaris, Windows

Reference #:

1607579

Modified date:

2012-08-08

Translate my page

Machine Translation

Content navigation