Download
Abstract
Possible security exposure with WebSphere Application Server with WS-Security enabled JAX-WS applications using LTPA tokens
Download Description
PM43585 resolves the following problem:
ERROR DESCRIPTION:
An error in web services security (WS-Security) processing of an inbound LTPA token may cause a user to gain elevated privileges on the provider system.
USERS AFFECTED:
IBM WebSphere Application Server users of WS-Security enabled JAX-WS applications and LTPA tokens
PROBLEM DESCRIPTION:
WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication
RECOMMENDATION:
Do one of the following:
* For WebSphere v7:
* Install fix pack 7.0.0.21 or later
* Install interim fix 7.0.0.0-WS-WAS-IFPM43585.pak
* Install interim fix 7.0.0.11-WS-WAS-IFPM43585.zip if using IBM Install Manager
* For WebSphere v8:
* Install fix pack 8.0.0.2 or later
* Install interim fix 8.0.0.0-WS-WASProd-IFPM43585.zip
CONCLUSION:
The fix for this APAR is currently targeted for inclusion in
fix packs 7.0.0.21 and 8.0.0.2. Please refer to the
Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
Please download the UpdateInstaller below to install this fix.
Installation Instructions
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24032586