PK75992; JAX-RPC WS-Security Runtime May Improperly Validate UsernameTokens

Download

Abstract

WS-Security for JAX-RPC applications may improperly validate UsernameTokens

Download Description

PK75992 resolves the following problem:

ERROR DESCRIPTION:
A potential security exposure exists when using UsernameTokens with WS-Security for JAX-RPC applications.

LOCAL FIX:
N/A

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server administrators of WS-Security enabled JAX-RPC service providers using UsernameTokens and non-WebSphere web services clients.

PROBLEM DESCRIPTION:

WebSphere Application Server could allow a remote attacker to bypass security restrictions, caused by improper validation of the UsernameToken when using JAX-RPC for WS-Security applications. An attacker could exploit this vulnerability using a specially-crafted UsernameToken to bypass security restrictions and gain unauthorized access to the system.
Note: This vulnerability does not exist when WebSphere Web services clients are used

This problem was introduced in 6.0.2.25 and 6.1.0.15. It also exists in 7.0 and 7.0.0.1.

RECOMMENDATION:
Apply APAR PK75992 or a Fix Pack containing this APAR.

PROBLEM CONCLUSION:
The WS-Security runtime was updated to ensure that UsernameTokens are validated properly.

The fix for this APAR is currently targeted for inclusion in fix packs 6.0.2.33, 6.1.0.23, and 7.0.0.3. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"5615","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK75992/readme.txt"}]

          [{"DNLabel":"6.0.2.27-WS-WAS-IFPK75992","DNDate":"4/7/2009","DNLang":"US English","DNSize":"11268","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.27-WS-WAS-IFPK75992&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK75992/6.0.2.27-WS-WAS-IFPK75992.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK75992/6.0.2.27-WS-WAS-IFPK75992.pak"},{"DNLabel":"6.1.0.19-WS-WAS-IFPK75992","DNDate":"4/7/2009","DNLang":"US English","DNSize":"32526","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.19-WS-WAS-IFPK75992&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK75992/6.1.0.19-WS-WAS-IFPK75992.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK75992/6.1.0.19-WS-WAS-IFPK75992.pak"},{"DNLabel":"7.0.0.0-WS-WAS-IFPK75992","DNDate":"4/7/2009","DNLang":"US English","DNSize":"36939","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.0-WS-WAS-IFPK75992&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK75992/7.0.0.0-WS-WAS-IFPK75992.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK75992/7.0.0.0-WS-WAS-IFPK75992.pak"}]
          

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0.0.1;7.0;6.1.0.21;6.1.0.19;6.0.2.31;6.0.2.29;6.0.2.27","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PK41002;PK75992

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24022737

Tips