IBM Support

PK80596: Possible security exposure with XML digital signature

Download


Abstract

Possible security exposure with XML digital signature

Download Description

PK80596 resolves the following problem:

ERROR DESCRIPTION:
Possible security exposure with XML digital signature.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
WebSphere Application Server users of JAX-WS and JAX-RPC applications using MAC algorithm (shared secret key) such as http://www.w3.org/2000/09/xmldsig#hmac-sha1 for message integrity.

PROBLEM DESCRIPTION:
Web services messages that do not follow XML digital signature best practice may be accepted by the Application Server if those messages otherwise satisfy quality of service policy requirements.

RECOMMENDATION:
Apply APAR PK80596 or a Fix Pack containing this APAR.

PROBLEM CONCLUSION:
The WS-Security runtime was updated to reject messages that do not follow XML digital signature best practice.

Web services requests that contain digital signatures that are not generated by WebSphere Application Servers may be rejected after applying this fix for integrity consideration.

The fix for this APAR is currently targeted for inclusion in Fix Packs 6.0.2.35, 6.1.0.25, and 7.0.0.3.

For JAX-WS applications running on WebSphere Application Server V6.1Feature Pack for WebServices, APAR PK80627 fixes this problem.

Please refer to the Recommended Updates page for delivery information:

http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"6232","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/readme.txt"}]
On
[{"DNLabel":"6.0.2.27-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"354385","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.27-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.0.2.27-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.0.2.27-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.0.2.31-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"56848","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.31-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.0.2.31-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.0.2.31-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.0.2.33-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"56840","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.33-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.0.2.33-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.0.2.33-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.1.0.17-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"660640","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.17-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.1.0.17-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.1.0.17-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.1.0.21-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"111428","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.21-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.1.0.21-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.1.0.21-WS-WAS-IFPK80596.pak"},{"DNLabel":"6.1.0.23-WS-WAS-IFPK80596","DNDate":"6/17/2009","DNLang":"US English","DNSize":"111419","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.23-WS-WAS-IFPK80596&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PK80596/6.1.0.23-WS-WAS-IFPK80596.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PK80596/6.1.0.23-WS-WAS-IFPK80596.pak"}]

Technical Support

Contact IBM Support using SR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0.2.27;6.0.2.31;6.0.2.33;6.1.0.17;6.1.0.21;6.1.0.23","Edition":"Base;Express;Network Deployment"}]

Document Information

Modified date:
15 June 2018

UID

swg24023545