IBM Support

*Updated* Potential security exposure with IBM WebSphere Application Server with Web Services using XML Encryption (PM34841/PM35779)

Flash (Alert)


Abstract

Web Services requests (either JAX-RPC or JAX-WS) containing data encrypted by WS-Security can be decrypted by way of a decryption attack.

Content







Affected versions
  • JAX-WS for:
    • WebSphere Application Server, on all platforms, Versions 7.0 through 7.0.0.15 are affected.
      • V7.0.0.17 and later will only require the JVM custom property, webservices.unify.faults=true , described below, to be set.
    • Web Services Feature Pack for WebSphere Application Server, on all platforms, Version 6.1 are affected.
      • V6.1.0.39 and later will only require the JVM custom property, webservices.unify.faults=true , described below, to be set.
  • JAX-RPC for:
    • WebSphere Application Server, on all platforms, 6.0 through 6.0.2.43, 6.1 through 6.1.0.37, and 7.0 through 7.0.0.15 are affected.
      • V6.1.0.39 and later, and V7.0.0.17 and later, will only require the JVM custom property, webservices.unify.faults=true , described below, to be set.

This security exposure does not occur on:
  • IBM WebSphere Application Server Versions after 6.1.0.37 or 7.0.0.15. provided the JVM custom property, webservices.unify.faults=true , described below is set



Problem description
If a Web Service (either JAX-WS or JAX-RPC) is configured to use WS-Security to encrypt data, that data might be vulnerable to a decryption attack. If requests containing encrypted data can be intercepted, an attacker might be able to decrypt the encrypted data contained in those requests. All versions of JAX-RPC and JAX-WS are vulnerable.



Solution overview
Applying Interim Fix APAR PM34841 or APAR PM35779 as described below, or a Fix Pack containing one of these APARs, and enabling the update by setting a JVM custom property, resolves this issue.

For IBM WebSphere Application Server Versions after 6.1.0.37 or 7.0.0.15, an update does not need to be installed, but it must be enabled by setting a custom JVM property, which resolves this issue.

When the update is enabled by setting the JVM custom property, detailed information may be removed from any SOAPFault generated by the Web Service runtimes. Note that the update is not enabled by default in order to maintain application compatibility with respect to SOAPFaults.

To enable the update, the following JVM custom property must be set after the update is installed: webservices.unify.faults=true . This property can be set using the administrative console as described in the Information Center article "Java virtual machine custom properties".


Solution for IBM WebSphere Application Server for Distributed:

Version Solution
V7.0.0.17 and later: Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
V7.0 through 7.0.0.15
  • Apply Fix Pack 11 (7.0.0.11), or later, if not already at one of these levels, then
  • Apply Interim Fix APAR PM34841
    • Individual Fixes are available for Fix Pack 11, Fix Pack 13 and Fix Pack 15.
  • Set the JVM custom property webservices.unify.faults=true
--OR--
  • Apply Fix Pack 17, or later, when available. (7.0.0.17 is targeted to be available May 2011).
  • Set the JVM custom property webservices.unify.faults=true
V6.1.0.39 and later: Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
V6.1 through 6.1.0.37
  • Apply Fix Pack 29 (6.1.0.29), or later, if not already at one of these levels, then
  • Apply Interim Fix APAR PM34841
    • Fix may be applied to Fix Pack 29 through Fix Pack 37
  • Set the JVM custom property webservices.unify.faults=true
--OR--
  • Apply Fix Pack 39, or later, when available. (6.1.0.39 is targeted to be available July 2011).
  • Set the JVM custom property webservices.unify.faults=true
V6.0 through 6.0.2.43
  • Apply Refresh Pack 2 (6.0.2), or later, if not already at this level, then
  • Apply Fix Pack 33 (6.0.2.33), or later, if not already at one of these levels, then
  • Apply Interim Fix APAR PM34841
    • Fix may be applied to Fix Pack 33 through Fix Pack 43
  • Set the JVM custom property webservices.unify.faults=true


Solution for Web Services Feature Pack for WebSphere Application Server V6.1:

Version Solution
V6.1.0.39 and later Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
For V6.1 through 6.1.0.37 --OR--


Solution for WebSphere Application Server for IBM i (i5/OS):

Version Solution
V7.0.0.17 and later Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
V7.0 through 7.0.0.15
  • Apply Fix Pack 11 (7.0.0.11), or later, if not already at one of these levels, then
  • Apply Interim Fix APAR PM34841
    • Individual Fixes are available for Fix Pack 11, Fix Pack 13 and Fix Pack 15.
  • Set the JVM custom property webservices.unify.faults=true
--OR--
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 17, or later, when available. (7.0.0.17 is targeted to be available May 2011).
  • Set the JVM custom property webservices.unify.faults=true
V6.1.0.39 and later Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
V6.1 through 6.1.0.37
  • Apply Fix Pack 29 (6.1.0.29), or later, if not already at one of these levels, then
  • Apply Interim Fix APAR PM34841
    • Fix may be applied to Fix Pack 29 through Fix Pack 37
  • Set the JVM custom property webservices.unify.faults=true
--OR--
  • Apply the WebSphere Application Server PTF group which includes Fix Pack 39, or later, when available. (6.1.0.39 is targeted to be available July 2011).
  • Set the JVM custom property webservices.unify.faults=true
V6.0 through 6.0.2.43
  • Apply the WebSphere Application Server V6.0 for iSeries PTF group including Fix Pack 43, if not at already at this level (6.0.2.43), then
    • See the PTFs site to determine the PTF group needed for your Application Server V6.0 product and i5/OS version.
  • Apply APAR Interim Fix APAR PM34841
  • Set the JVM custom property webservices.unify.faults=true


Solution for IBM WebSphere Application Server for z/OS:

Version Solution
V7.0.0.17 and later Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
V7.0 through 7.0.0.15
  • Apply APAR PM34841 via PTFs which includes 7.0.0.17, or later, when available. (7.0.0.17 is targeted to be available May 2011).
  • Set the JVM custom property webservices.unify.faults=true
V6.1.0.39 and later Note: The update is already included in this level, so no APAR or Fix Pack needs to be installed. However, the update is disabled by default, therefore, you must:
  • Set the JVM custom property webservices.unify.faults=true
V6.1 through 6.1.0.37
  • Apply APAR PM34841 via PTFs which includes 6.1.0.39, or later, when available. (6.1.0.39 is targeted to be available July 2011)
  • Set the JVM custom property webservices.unify.faults=true
And for Web Services Feature Pack for WebSphere Application Server V6.1:
    • For V6.1 through 6.1.0.37:
      • Apply APAR PM34841 via PTFs which includes 6.1.0.39, or later, when available. (6.1.0.39 is targeted to be available July 2011).
      • Set the JVM custom property webservices.unify.faults=true
V6.0 through 6.0.2.43
  • V6.0 is no longer in service (ended 30 September 2010).
    • Additional assistance will only be provided with a valid Support Extension for this version.

Note: Customers that require a fix at a different WebSphere Application Server for z/OS service level not mentioned above, or those who are running with a service level mentioned above, but also have an existing ++APAR, will need to open a PMR to work with IBM Technical Support personnel to determine the best method for providing a fix for their system. Be prepared to provide to IBM your current service level, and any existing ++APARs that are already received/applied to your system.



Additional documentation
For additional details and information on WebSphere Application Server product updates:




Change history

  • 26 April 2011: Added details about the requirement of setting the JVM custom property, webservices.unify.faults=true, in addition to applying the Interim Fix APAR and/or the Fix Pack. Also added direction to "Set the JVM custom property webservices.unify.faults=true" for all releases after 6.1.0.37 and 7.0.0.15, that did not require the APAR or Fix Pack to be applied.

  • 20 April 2011: Original copy published.

Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server Feature Pack for Web Services Web Services Security AIX, HP-UX, IBM i, Linux, Linux iSeries, Linux Red Hat - xSeries, Linux SUSE - iSeries, Linux SUSE - xSeries, Windows 6.1 All Editions
Application Servers WebSphere Application Server for z/OS General z/OS, OS/390 7.0, 6.1, 6.0 Feature Pack for Web Services
Application Servers WebSphere Application Server Hypervisor Edition AIX, Linux 7.0, 6.1 All Editions
Application Servers WebSphere Application Server Feature Pack for Web Services for z/OS 6.1 All Editions

Document information

More support for: WebSphere Application Server
General

Software version: 6.0, 6.1, 7.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition: Base, Developer, Express, Feature Pack for Web Services, Network Deployment

Reference #: 1474220

Modified date: 23 October 2013


Translate this page: