PM16014; 7.0.0.9: Potential security exposure with JAX-WS WS-Security runtime

Downloadable files


Abstract

Potential security exposure with the JAX-WS WS-Security runtime and the Timestamp element

Download Description

PM16014 resolves the following problem:

ERROR DESCRIPTION:
When the WS-Security policy for a JAX-WS application specifies
a Timestamp element, there is a potential risk of a security
exposure.

LOCAL FIX:
na

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server users of
WS-Security enabled JAX-WS applications
utilizing Timestamp.

JAX-RPC applications are not impacted.

PROBLEM DESCRIPTION:
When using a WS-Security enabled JAX-WS web service application,
if the WS-Security policy specifies 'IncludeTimestamp', there
is a potential risk of security exposure.

WS-Security enabled JAX-RPC web service applications are not
impacted.

RECOMMENDATION:
Install a fixpack that includes this APAR.

PROBLEM CONCLUSION:
The JAX-WS WS-Security runtime is updated to eliminate the
potential security exposure.

After an fixpack or an ifix containing this APAR is
applied, the WS-Security runtime might reject SOAP messages
with an error related to the Timestamp element. If this
problem occurs, ensure that the WS-Security policy for
both the consumer and provider match.

For more information about the use of Timestamp in
WebSphere WS-Security and the precautions that should be
taken, refer to the following WebSphere Application Server
Information Center document on the Timestamp element:

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=cwbs_timestamp


The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.13. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 6972

Download package


Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central (FC)?
What is DD?
7.0.0.11-WS-WAS-IFPM16014 8/19/2010 US English 485329 FC FTP DD

Technical support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

Problems (APARS) fixed
PM16014, PM07663

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Application Server
Web Services Security

Software version:

7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9, 7.0.0.11

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Base, Network Deployment

Reference #:

4027709

Modified date:

2010-08-26

Translate my page

Machine Translation

Content navigation