IBM Support

PH01752:Possible security exposure in SAML Web SSO (CVE-2018-1793)

Download


Abstract

Possible security exposure in SAML Web SSO (CVE-2018-1793)

Download Description

PH01752 resolves the following problem:

ERROR DESCRIPTION:
Possible security exposure in SAML Web SSO (CVE-2018-1793).

PROBLEM SUMMARY:
Possible security exposure in SAML Web SSO (CVE-2018-1793).

LOCAL FIX: 
For each application server profile, if the SAML Web SSO TAI is not configured, but the WebSphereSamlSP.ear is installed, uninstall WebSphereSamlSP.ear.

PROBLEM CONCLUSION:
The SAML ACS application, WebSphereSamlSP.ear, is updated to eliminate the reported security exposure.

When an interim fix for this APAR is installed, the fix will not be active on a profile until the installed SAML Web SSO application,  WebSphereSamlSP.ear, is updated from the (WAS_HOME)/installableApps directory.  

THE FOLLOWING FIXES ARE PROVIDED:
7.0.0.23-WS-WAS-IFPH01752.pak applies to fix packs 7.0.0.23 through 7.0.0.45.
8.0.0.4-WS-WAS-IFPH01752.zip applies to fix packs 8.0.0.4 through 8.0.0.15.
8.5.5.0-WS-WASProd-IFPH01752.zip applies to fix packs 8.5.5.0 through 8.5.5.14.
9.0.0.0-WS-WASProd-IFPH01752.zip applies to fix packs 9.0.0.0 through 9.0.0.9.

The fix for this APAR is currently targeted for inclusion in fix pack 8.5.5.15 and 9.0.0.10.  Please refer to the Recommended Updates page for delivery information: 
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V70 Readme 5672
V80 Readme 2617
V85 Readme 2887
V90 Readme 2708

 

Download Package

 

DOWNLOAD RELEASE DATE SIZE(Bytes)

DOWNLOAD Options

What is Fix Central(FC)?

7.0.0.23-WS-WAS-IFPH01752 09-05-2018 10729 FC
8.0.0.4-WS-WAS-IFPH01752 09-05-2018 230070 FC
8.5.5.0-WS-WASProd-IFPH01752 09-05-2018 238828 FC
9.0.0.0-WS-WASProd-IFPH01752 09-05-2018 231727 FC

 

Problems Solved

PH01752

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the support web site, or contact 1-800-IBM-SERV (U.S. only).

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.23;7.0.0.25;7.0.0.27;7.0.0.29;7.0.0.31;7.0.0.33;7.0.0.35;7.0.0.37;7.0.0.39;7.0.0.41;7.0.0.43;7.0.0.45;8.0.0.10;8.0.0.11;8.0.0.12;8.0.0.13;8.0.0.14;8.0.0.15;8.0.0.4;8.0.0.5;8.0.0.6;8.0.0.7;8.0.0.8;8.0.0.9;8.5;8.5.0.1;8.5.0.2;8.5.5;8.5.5.1;8.5.5.10;8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;8.5.5.2;8.5.5.3;8.5.5.4;8.5.5.5;8.5.5.6;8.5.5.7;8.5.5.8;8.5.5.9;9.0.0.0;9.0.0.1;9.0.0.2;9.0.0.3;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8, 9.0.0.9","Edition":"Base,Network Deployment,Single Server","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
05 October 2018

UID

ibm10730545