Potential security exposure with the JAX-WS WS-Security runtime and the Timestamp element
PM16014 resolves the following problem:
When the WS-Security policy for a JAX-WS application specifies
a Timestamp element, there is a potential risk of a security
IBM WebSphere Application Server users of
WS-Security enabled JAX-WS applications
JAX-RPC applications are not impacted.
When using a WS-Security enabled JAX-WS web service application,
if the WS-Security policy specifies 'IncludeTimestamp', there
is a potential risk of security exposure.
WS-Security enabled JAX-RPC web service applications are not
Install a fixpack that includes this APAR.
The JAX-WS WS-Security runtime is updated to eliminate the
potential security exposure.
After an fixpack or an ifix containing this APAR is
applied, the WS-Security runtime might reject SOAP messages
with an error related to the Timestamp element. If this
problem occurs, ensure that the WS-Security policy for
both the consumer and provider match.
For more information about the use of Timestamp in
WebSphere WS-Security and the precautions that should be
taken, refer to the following WebSphere Application Server
Information Center document on the Timestamp element:
The fix for this APAR is currently targeted for inclusion in
fix pack 126.96.36.199. Please refer to the Recommended Updates
page for delivery information:
Please download the UpdateInstaller below to install this fix.
Please review the readme.txt for detailed installation instructions.
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
15 June 2018