PM08360; 6.1.0.9: Potential security exposure with JAX-WS WS-Security runtime

Downloadable files


Abstract

Potential security exposure with the JAX-WS WS-Security runtime and the Timestamp element

Download Description

PM08360 resolves the following problem:

ERROR DESCRIPTION:
When the WS-Security policy for a JAX-WS application specifies
a Timestamp element, there is a potential risk of a security
exposure.

LOCAL FIX:
na

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server Feature
Pack for Web Services users of WS-Security
enabled JAX-WS applications utilizing Timestamp.

JAX-RPC applications are not impacted.

PROBLEM DESCRIPTION:
When using a WS-Security enabled JAX-WS web service application,
if the WS-Security policy specifies 'IncludeTimestamp', there
is a potential risk of security exposure.

WS-Security enabled JAX-RPC web service applications are not
impacted.

RECOMMENDATION:
Install a fixpack or ifix that includes this APAR.

PROBLEM CONCLUSION:
The JAX-WS WS-Security runtime is updated to eliminate the
potential security exposure.

After an fixpack or an ifix containing this APAR is
applied, the WS-Security runtime might reject SOAP messages
with an error related to the Timestamp element. If this
problem occurs, ensure that the WS-Security policy for
both the consumer and provider match.

For more information about the use of Timestamp in
WebSphere WS-Security and the precautions that should be
taken, refer to the following WebSphere Application Server
Information Center document on the Timestamp element:

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=v610ws&product=was-base-dist&topic=cwbs_timestamp

The fix for this APAR is currently targeted for inclusion in
fix pack 6.1.0.33. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 8108

Download package


Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
What is DD?
6.1.0.29-WS-WASWebSvc-IFPM08360 8/19/2010 US English 503797 FC FTP DD
6.1.0.31-WS-WASWebSvc-IFPM08360 8/19/2010 US English 334652 FC FTP DD

Technical support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

Problems (APARS) fixed
PM08360, PM06566, PM07733

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Web Services Security

Software version:

6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.14, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Feature Pack for Web Services

Reference #:

4027708

Modified date:

2010-08-26

Translate my page

Machine Translation

Content navigation