IBM Support

PM16014; 7.0.0.9: Potential security exposure with JAX-WS WS-Security runtime

Download


Abstract

Potential security exposure with the JAX-WS WS-Security runtime and the Timestamp element

Download Description

PM16014 resolves the following problem:

ERROR DESCRIPTION:
When the WS-Security policy for a JAX-WS application specifies
a Timestamp element, there is a potential risk of a security
exposure.

LOCAL FIX:
na

PROBLEM SUMMARY

USERS AFFECTED:
IBM WebSphere Application Server users of
WS-Security enabled JAX-WS applications
utilizing Timestamp.

JAX-RPC applications are not impacted.

PROBLEM DESCRIPTION:
When using a WS-Security enabled JAX-WS web service application,
if the WS-Security policy specifies 'IncludeTimestamp', there
is a potential risk of security exposure.

WS-Security enabled JAX-RPC web service applications are not
impacted.

RECOMMENDATION:
Install a fixpack that includes this APAR.

PROBLEM CONCLUSION:
The JAX-WS WS-Security runtime is updated to eliminate the
potential security exposure.

After an fixpack or an ifix containing this APAR is
applied, the WS-Security runtime might reject SOAP messages
with an error related to the Timestamp element. If this
problem occurs, ensure that the WS-Security policy for
both the consumer and provider match.

For more information about the use of Timestamp in
WebSphere WS-Security and the precautions that should be
taken, refer to the following WebSphere Application Server
Information Center document on the Timestamp element:

http://www14.software.ibm.com/webapp/wsbroker/redirect?version=compass&product=was-nd-mp&topic=cwbs_timestamp


The fix for this APAR is currently targeted for inclusion in
fix pack 7.0.0.13. Please refer to the Recommended Updates
page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"6972","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM16014/readme.txt"}]
On
[{"DNLabel":"7.0.0.11-WS-WAS-IFPM16014","DNDate":"8/19/2010","DNLang":"US English","DNSize":"485329","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.11-WS-WAS-IFPM16014&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM16014/7.0.0.11-WS-WAS-IFPM16014.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM16014/7.0.0.11-WS-WAS-IFPM16014.pak"}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.0;7.0.0.1;7.0.0.11;7.0.0.3;7.0.0.5;7.0.0.7;7.0.0.9","Edition":"Base;Network Deployment","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24027709