Possible security exposure with XML digital signature
PK80596 resolves the following problem:
ERROR DESCRIPTION:
Possible security exposure with XML digital signature.
LOCAL FIX:
PROBLEM SUMMARY
USERS AFFECTED:
WebSphere Application Server users of JAX-WS and JAX-RPC applications using MAC algorithm (shared secret key) such as http://www.w3.org/2000/09/xmldsig#hmac-sha1 for message integrity.
PROBLEM DESCRIPTION:
Web services messages that do not follow XML digital signature best practice may be accepted by the Application Server if those messages otherwise satisfy quality of service policy requirements.
RECOMMENDATION:
Apply APAR PK80596 or a Fix Pack containing this APAR.
PROBLEM CONCLUSION:
The WS-Security runtime was updated to reject messages that do not follow XML digital signature best practice.
Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.
The fix for this APAR is currently targeted for inclusion in Fix Packs 6.0.2.35, 6.1.0.25, and 7.0.0.3.
For JAX-WS applications running on WebSphere Application Server V6.1Feature Pack for WebServices, APAR PK80627 fixes this problem.
Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Please download the UpdateInstaller below to install this fix.
[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]
Please review the readme.txt for detailed installation instructions.
[{"INLabel":"Readme","INLang":"US English","INSize":"6232","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/readme.txt"}]
On
[{"DNLabel":"6.0.2.27-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"354385","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.27-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.0.2.27-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.0.2.27-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.0.2.31-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"56848","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.31-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.0.2.31-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.0.2.31-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.0.2.33-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"56840","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.33-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.0.2.33-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.0.2.33-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.1.0.17-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"660640","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.17-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.1.0.17-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.1.0.17-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.1.0.21-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"111428","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.21-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.1.0.21-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.1.0.21-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.1.0.23-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"111419","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.23-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.1.0.23-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.1.0.23-WS-WAS-IFPK80596.pak"}]
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0.2.27;6.0.2.31;6.0.2.33;6.1.0.17;6.1.0.21;6.1.0.23","Edition":"Base;Express;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]