PK61315; Attribute in SOAP security header may cause security exposure

Download

Abstract

The handling of a certain attribute within the SOAP security header could potentially create a security exposure in WS-Security enabled Web services applications.

Download Description

PK61315 resolves the following problem:

ERROR DESCRIPTION:
There is a serious security exposure with the handling of a certain attribute within the Web services SOAP security header which may make it possible for an intruder to compromise the security of the system.

LOCAL FIX:
There is no workaround possible within IBM WebSphere Application Server itself if WS-Security enabled Web services applications are in use. However, if Application Server is not processing the security header within SOAP messages directly, this risk can be prevented. For example using DataPower to prevent direct access to the Application Server Web services security runtime prevents this vulnerability.

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server Version 6 administrators of WS-Security enabled Web services providers. IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services V6.1 is also affected. Web services applications configured to use only transport layer security (for example HTTP basic authentication or SSL certificates) are not affected. This problem occurs on IBM WebSphere Application Server versions 6.0 through 6.0.2.28, and 6.1 through 6.1.0.16. The problem does not occur on versions 4.0, 5.0, 5.1, 6.0.2.29 and later, and 6.1.0.17 and later.

PROBLEM DESCRIPTION:
There is a serious security exposure with the handling of a certain attribute within the Web services SOAP security header which may make it possible for an intruder to compromise the security of the system. Urgent application of this APAR is recommended.

RECOMMENDATION:
Apply APAR PK61315 or a Fix Pack containing this APAR.

PROBLEM CONCLUSION:
The handling of the attribute has been improved to remove this possible exposure. Applying APAR PK61315, or a Fix Pack containing this APAR, resolves this issue.

The fix for this APAR is currently targeted for inclusion in Fix Pack 6.0.2.29 and 6.1.0.17.

There are seven Interim Fixes that can be downloded from this page. There are two readmes that describe the IBM WebSphere Application Server levels to which each of these Interim Fixes apply; Readme describes the V6.1 Interim Fixes and Readme602 describes the V6.0.2 Interim Fixes.

If you have a level of IBM WebSphere Application Server V6.1 or V6.0 that is less than 6.0.2.29 or 6.1.0.17 and that is not represented by an Interim Fix on this page, it does not mean that APAR PK61315 does not occur on your level of WebSphere Application Server. This only means that an Interim Fix has not been created for that level. In order for APAR PK61315 to be applied to such levels, they must be either moved up to 6.0.2.29, 6.1.0.17, or one of the Fix Packs for which there is an Interim Fix available.

For example, if you are using 6.0.2.17 and wish to install an interim fix for this APAR, you must upgrade to 6.0.2.19, then install the 6.0.2.19-WS-WAS-IFPK61315 interim fix that is referenced from this page.

Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions for version 6.1 and readme602.txt for version 6.0.2.

[{"INLabel":"Readme","INLang":"US English","INSize":"5069","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK61315/readme.txt"},{"INLabel":"Readme602","INLang":"US English","INSize":"4500","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK61315/readme602.txt"}]

Download Package

Download package

What is DD?

Download	RELEASE DATE	LANGUAGE	SIZE(Bytes)	Download Options
6.0.2.15-WS-WAS-IFPK61315	5/14/2008	US English	206546	FC	FTP	DD
6.0.2.19-WS-WAS-IFPK61315	5/14/2008	US English	206546	FC	FTP	DD
6.0.2.23-WS-WAS-IFPK61315	5/14/2008	US English	64295	FC	FTP	DD
6.1.0.3-WS-WAS-IFPK61315	5/14/2008	US English	719753	FC	FTP	DD
6.1.0.9-WS-WAS-IFPK61315	5/14/2008	US English	709146	FC	FTP	DD
6.1.0.15-WS-WAS-IFPK61315	5/14/2008	US English	408199	FC	FTP	DD
6.1.0.15-WS-WASWebSvc-IFPK61315	5/14/2008	US English	559279	FC	FTP	DD

          [{"DNLabel":"6.0.2.15-WS-WAS-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"206546","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.19-WS-WAS-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"206546","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.0.2.23-WS-WAS-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"64295","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.1.0.3-WS-WAS-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"719753","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.1.0.9-WS-WAS-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"709146","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.1.0.15-WS-WAS-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"408199","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null},{"DNLabel":"6.1.0.15-WS-WASWebSvc-IFPK61315","DNDate":"5/14/2008","DNLang":"US English","DNSize":"559279","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":null,"DNURL_FTP":null,"DDURL":null}]
          

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV(U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF012","label":"IBM i"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.3;6.1.0.2;6.1.0.15;6.1.0.13;6.1.0.11;6.1.0.1;6.0.2.9;6.0.2.8;6.0.2.7;6.0.2.6;6.0.2.5;6.0.2.4;6.0.2.3;6.0.2.27;6.0.2.25;6.0.2.23;6.0.2.21;6.0.2.2;6.0.2.19;6.0.2.17;6.0.2.15;6.0.2.13;6.0.2.11;6.0.2.1","Edition":"Base;Feature Pack for Web Services;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"6.1;6.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PK34383;PK41002;PK41710;PK42833;PK54942;PK59201;PK61315

Tips

PK61315; Attribute in SOAP security header may cause security exposure

Download

Abstract

Download Description

Prerequisites

Installation Instructions

Download Package

Technical Support

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?