Topic
  • 3 replies
  • Latest Post - ‏2012-10-17T14:48:07Z by kimbert@uk.ibm.com
SystemAdmin
SystemAdmin
4179 Posts

Pinned topic Broker WS Security - Digital Signature

‏2012-10-15T13:51:30Z |
When a user manipulates a SOAP request body in transit, the BEM service will detect the modification. This happens as the Digital signature of the request message will not match the value it generates from the request message body. Broker identifies the tampering of message in the transit and throws security exception to the calling application.

Problem Statement:
However, a weakness was identified whereby the cloning of an existing message body into the soap header will allow for a malicious individual to manipulate the content of a message without triggering a security exception. It can be manipulated with the original message body placed in a wrapper element in the soap header.
Updated on 2012-10-17T14:48:07Z at 2012-10-17T14:48:07Z by kimbert@uk.ibm.com
  • kimbert@uk.ibm.com
    kimbert@uk.ibm.com
    515 Posts

    Re: Broker WS Security - Digital Signature

    ‏2012-10-16T16:03:39Z  
    What is a 'BEM service' ( Google did not come up with anything )

    Are you
    a) reporting an exploitable weakness in WMB's security facilities?
    b) reporting an exploitable weakness with the digital signing of the messages that are submitted to your WMB-hosted service?
  • SystemAdmin
    SystemAdmin
    4179 Posts

    Re: Broker WS Security - Digital Signature

    ‏2012-10-17T04:48:45Z  
    What is a 'BEM service' ( Google did not come up with anything )

    Are you
    a) reporting an exploitable weakness in WMB's security facilities?
    b) reporting an exploitable weakness with the digital signing of the messages that are submitted to your WMB-hosted service?
    Hello Kimbert,

    BEM is just name of middleware layer we have in this project.
    This is the weakness in WS Security implementation in WMB v7.0.3 using digital signatures.

    Pls let me know if any more specific details are required to analyse it further.
  • kimbert@uk.ibm.com
    kimbert@uk.ibm.com
    515 Posts

    Re: Broker WS Security - Digital Signature

    ‏2012-10-17T14:48:07Z  
    Hello Kimbert,

    BEM is just name of middleware layer we have in this project.
    This is the weakness in WS Security implementation in WMB v7.0.3 using digital signatures.

    Pls let me know if any more specific details are required to analyse it further.
    Not sure what you are expecting to get from this forum. Sounds as if you need to open a PMR or talk to the WMB development team about this alleged weakness.