Flashes (Alerts)
Abstract
Possible security exposure with XML digital signature
Content
Versions Affected:
IBM WebSphere Application Server Versions 6.0 through 6.0.2.33 (6.0.2.34 for z/OS), 6.1 through 6.1.0.23 (6.1.0.24 for z/OS), and 7.0 through 7.0.0.1. All platforms are affected.
This security exposure does not occur on Versions 5.1 or later, 6.0.2.35 or later, 6.1.0.25 or later, or 7.0.0.3 or later.
Usage Scenarios Affected:
- WS-Security enabled JAX-RPC and JAX-WS web services which employ the shared key digital signature HMAC-SHA1 algorithm are affected by this problem.
- Users who use secure conversation and Kerberos message protection are affected by this problem.
- Users who use asymmetric key digital signature such as X.509 message protection are not affected by this problem.
Problem Description:
The WebSphere Application Server may accept web services messages that do not follow XML digital signature best practices if those messages otherwise satisfy quality of service policy requirements. The exposure to exploitation by third parties is reduced if messages are encrypted during transmission either at the message level or at the transport level.
Solutions:
Applying Interim Fix APAR PK80596 or PK80627 (as specified below), or a Fix Pack containing the APAR (as specified below), resolves this issue.
- Applying this Interim Fix APAR will not affect interoperability between IBM WebSphere Application Servers regardless of whether one or both WebSphere Application Servers have applied the fix.
- Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.
For WebSphere Application Server Version 6.1 Feature Pack for Web Services:
- For V6.1 through 6.1.0.23:
For IBM WebSphere Application Server for Distributed:
- For V7.0 through 7.0.0.1:
- Apply Fix Pack 3, or later (7.0.0.3).
- Upgrade to Fix Pack 17, Fix Pack 21, or Fix Pack 23 (if not already at one of these levels), then
- Apply Interim Fix APAR PK80596
- Apply Fix Pack 25, or later (6.1.0.25).
For V6.1 through 6.1.0.23:
--OR--
For V6.0 through 6.0.2.33:
For IBM WebSphere Application Server for i5/OS:
- For V7.0 through 7.0.0.1:
- Apply the WebSphere Application Server PTF group which includes Fix Pack 3 (7.0.0.3) or later, according to the PTF group instructions.
- Apply Interim Fix APAR PK80596
--OR-- - Apply the WebSphere Application Server PTF group which includes Fix Pack 25 (6.1.0.25) or later, according to the PTF group instructions.
- Apply Interim Fix APAR PK80596
--OR-- - Apply the WebSphere Application Server PTF group which includes Fix Pack 35 (6.0.2.35) or later, according to the PTF group instructions.
- Note: Fix Packs 25, 29 and 33 are not provided for i5/OS.
For V6.1 through 6.1.0.23:
For V6.0 through 6.0.2.33:
For IBM WebSphere Application Server for z/OS:
- For V7.0 through 7.0.0.1:
- Apply APAR PK80596 from PTFs for 7.0.0.3 or later.
- Apply APAR PK80596 from PTFs for 6.1.0.25 or later.
- Apply APAR PK80596 from PTFs for 6.0.2.35 or later.
For V6.1 through 6.1.0.24:
For V6.0 through 6.0.2.34:
- For V6.1 through 6.1.0.24:
- Apply APAR PK80627 from PTFs for 6.1.0.25 or later.
Additional documentation:
For additional details and information on WebSphere Application Server product updates:
- For Distributed, see Recommended fixes for WebSphere Application Server.
- For i5/OS, see WebSphere Application Server for i5/OS.
- For z/OS, see WebSphere Application Server for z/OS
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;6.1;6.0","Edition":"Base;Developer;Enterprise;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"","label":"OS\/390"},{"code":"PF027","label":"Solaris"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0;6.1;6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21384925