Potential security exposure with the JAX-WS WS-Security runtime and the Timestamp element
PM08360 resolves the following problem:
When the WS-Security policy for a JAX-WS application specifies a Timestamp element, there is a potential risk of a security exposure.
IBM WebSphere Application Server Feature Pack for Web Services users of WS-Security enabled JAX-WS applications utilizing Timestamp.
JAX-RPC applications are not impacted.
When using a WS-Security enabled JAX-WS web service application, if the WS-Security policy specifies 'IncludeTimestamp', there is a potential risk of security exposure.
WS-Security enabled JAX-RPC web service applications are not impacted.
Install a fixpack or ifix that includes this APAR.
The JAX-WS WS-Security runtime is updated to eliminate the potential security exposure.
After an fixpack or an ifix containing this APAR is applied, the WS-Security runtime might reject SOAP messages with an error related to the Timestamp element. If this problem occurs, ensure that the WS-Security policy for both the consumer and provider match.
The fix for this APAR is currently targeted for inclusion in fix pack 188.8.131.52. Please refer to the Recommended Updates page for delivery information:
More information about the use of Timestamp with WS-Security in WebSphere Application Server v6.1 and the precautions that should be taken is shown below:
A time stamp is the value of an object that indicates the system time at some critical point in the history of the object.
A time stamp is included in a message to reduce the vulnerability of an application to replay attacks. In Web services, a replay attack occurs when an HTTP request is intercepted and the content is resent to the provider in its original form.
Avoid trouble: When you include a time stamp in a message, you must protect its integrity using transport security, such as secure sockets layer (SSL) or message-level security, such as XML digital signature. If you do not protect the integrity of the time stamp, it is possible to capture the message and retransmit the content with a different time stamp, message expiration date, or both.
For the JAX-RPC run time, 5 minutes is the default message expiration time that is used for the receiver if a value is not specified in the message. If a different expiration is required for a specific client or you are unsure of the target service default value, configure a message expiration time value for the outbound time stamp.
- When the Web Services Security JAX-RPC run time generates or consumes a message, it does not enforce that the integrity of the time stamp is protected.
- The Web Services Security JAX-RPC run time does not have a default outbound message expiration value. If you want to include a message expiration value in a message, you must configure it.
- The time stamp expiration value is specified in the Web services deployment descriptor extension. You cannot modify the Web services deployment descriptor extension from the administrative console; you can only view it. To modify the deployment descriptor extension, you must use an assembly tool and add or change the time stamp expiration value for a JAX-RPC application.
- If WS-Security constraints exist to consume a timestamp, the client must send a timestamp.
Please download the UpdateInstaller below to install this fix.
Please review the readme.txt for detailed installation instructions.
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
15 June 2018