Potential security exposure with the JAX-WS WS-Security runtime and the Timestamp element
PM08360 resolves the following problem:
When the WS-Security policy for a JAX-WS application specifies
a Timestamp element, there is a potential risk of a security
IBM WebSphere Application Server Feature
Pack for Web Services users of WS-Security
enabled JAX-WS applications utilizing Timestamp.
JAX-RPC applications are not impacted.
When using a WS-Security enabled JAX-WS web service application,
if the WS-Security policy specifies 'IncludeTimestamp', there
is a potential risk of security exposure.
WS-Security enabled JAX-RPC web service applications are not
Install a fixpack or ifix that includes this APAR.
The JAX-WS WS-Security runtime is updated to eliminate the
potential security exposure.
After an fixpack or an ifix containing this APAR is
applied, the WS-Security runtime might reject SOAP messages
with an error related to the Timestamp element. If this
problem occurs, ensure that the WS-Security policy for
both the consumer and provider match.
For more information about the use of Timestamp in
WebSphere WS-Security and the precautions that should be
taken, refer to the following WebSphere Application Server
Information Center document on the Timestamp element:
The fix for this APAR is currently targeted for inclusion in
fix pack 220.127.116.11. Please refer to the Recommended Updates
page for delivery information:
Please download the UpdateInstaller below to install this fix.
Please review the readme.txt for detailed installation instructions.
|Download||RELEASE DATE||LANGUAGE||SIZE(Bytes)||Download Options
What is Fix Central (FC)?
What is DD?
|18.104.22.168-WS-WASWebSvc-IFPM08360||8/19/2010||US English||503797||FC FTP DD|
|22.214.171.124-WS-WASWebSvc-IFPM08360||8/19/2010||US English||334652||FC FTP DD|
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.