PM43585; Possible security exposure with WebSphere Application Server

Download

Abstract

Possible security exposure with WebSphere Application Server with WS-Security enabled JAX-WS applications using LTPA tokens

Download Description

PM43585 resolves the following problem:

ERROR DESCRIPTION:
An error in web services security (WS-Security) processing of an inbound LTPA token may cause a user to gain elevated privileges on the provider system.

USERS AFFECTED:
IBM WebSphere Application Server users of WS-Security enabled JAX-WS applications and LTPA tokens

PROBLEM DESCRIPTION:
WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication

RECOMMENDATION:
Do one of the following:
* For WebSphere v7:
* Install fix pack 7.0.0.21 or later
* Install interim fix 7.0.0.0-WS-WAS-IFPM43585.pak
* Install interim fix 7.0.0.11-WS-WAS-IFPM43585.zip if using IBM Install Manager

* For WebSphere v8:
* Install fix pack 8.0.0.2 or later
* Install interim fix 8.0.0.0-WS-WASProd-IFPM43585.zip

CONCLUSION:
The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.21 and 8.0.0.2. Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"5981","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM43585/readme.txt"}]

          [{"DNLabel":"7.0.0.0-WS-WAS-IFPM43585","DNDate":"2 May 2012","DNLang":"US English","DNSize":"19607","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.0-WS-WAS-IFPM43585&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM43585/7.0.0.0-WS-WAS-IFPM43585.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM43585/7.0.0.0-WS-WAS-IFPM43585.pak"},{"DNLabel":"8.0.0.0-WS-WASProd-IFPM43585","DNDate":"8 May 2012","DNLang":"US English","DNSize":"256319","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.0-WS-WASProd-IFPM43585&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://download4.boulder.ibm.com/ecc/sar/CMA/WSA/034sa/0/8.0.0.0-WS-WASProd-IFPM43585.zip","DDURL":" "},{"DNLabel":"7.0.0.11-WS-WAS-IFPM43585","DNDate":"10 Jul 2012","DNLang":"US English","DNSize":"173458","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.11-WS-WAS-IFPM43585&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM43585/7.0.0.11-WS-WAS-IFPM43585.zip","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM43585/7.0.0.11-WS-WAS-IFPM43585.zip"}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.0.1;8.0;7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.3;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0.0.1;7.0","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PM43585

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24032586

Tips