Download
Abstract
WS-Security for JAX-RPC applications may improperly validate UsernameTokens
Download Description
PK75992 resolves the following problem:
ERROR DESCRIPTION:
A potential security exposure exists when using UsernameTokens with WS-Security for JAX-RPC applications.
LOCAL FIX:
N/A
PROBLEM SUMMARY
USERS AFFECTED:
IBM WebSphere Application Server administrators of WS-Security enabled JAX-RPC service providers using UsernameTokens and non-WebSphere web services clients.
PROBLEM DESCRIPTION:
WebSphere Application Server could allow a remote attacker to bypass security restrictions, caused by improper validation of the UsernameToken when using JAX-RPC for WS-Security applications. An attacker could exploit this vulnerability using a specially-crafted UsernameToken to bypass security restrictions and gain unauthorized access to the system.
Note: This vulnerability does not exist when WebSphere Web services clients are used
This problem was introduced in 6.0.2.25 and 6.1.0.15. It also exists in 7.0 and 7.0.0.1.
RECOMMENDATION:
Apply APAR PK75992 or a Fix Pack containing this APAR.
PROBLEM CONCLUSION:
The WS-Security runtime was updated to ensure that UsernameTokens are validated properly.
The fix for this APAR is currently targeted for inclusion in fix packs 6.0.2.33, 6.1.0.23, and 7.0.0.3. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24022737