IBM Support

PM45181; Possible security exposure with WebSphere Application Server

Download


Abstract

Possible security exposure with WebSphere Application Server with WS-Security enabled JAX-RPC applications using LTPA tokens

Download Description

PM45181 resolves the following problem:

ERROR DESCRIPTION:
An error in web services security (WS-Security) processing of an inbound LTPA token may cause a user to gain elevated privileges on the provider system.

USERS AFFECTED:
IBM WebSphere Application Server users of WS-Security enabled JAX-RPC applications
and LTPA tokens

PROBLEM DESCRIPTION:
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system caused by an error in the LTPA token.

RECOMMENDATION:
Install a fix pack or ifix that contains this APAR.
For WebSphere Application Server v6.1, apply 6.1.0.0-WS-WAS-IFPM45181.pak.
For WebSphere Application Server v7, apply 7.0.0.0-WS-WAS-IFPM45181.pak.
For WebSphere Application Server v7, apply 7.0.0.11-WS-WAS-IFPM45181.zip if using IBM Install Manager.
For WebSphere Application Server 8.0.0.0 through 8.0.0.1, apply 8.0.0.0-WS-WASProd-IFPM45181.zip.
For WebSphere Application Server 8.0.0.2, apply 8.0.0.2-WS-WASProd-IFPM45181.zip.
For WebSphere Application Server 6.0.2.1 through 6.0.2.43, apply 6.0.2.1-WS-WAS-IFPM45181.pak
For WebSphere Application Server 6.0.2.0, upgrade to fix pack 6.0.2.1 or later, then apply 6.0.2.1-WS-WAS-IFPM45181.pak

CONCLUSION:
The fix for this APAR is currently targeted for inclusion in fix packs 6.1.0.43, 7.0.0.23, and 8.0.0.3. Please refer to the Recommended Updates page for delivery information:

http://www.ibm.com/support/docview.wss?uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"6346","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/readme.txt"}]
On
[{"DNLabel":"7.0.0.0-WS-WAS-IFPM45181","DNDate":"2 May 2012","DNLang":"US English","DNSize":"14321","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.0-WS-WAS-IFPM45181&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/7.0.0.0-WS-WAS-IFPM45181.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM45181/7.0.0.0-WS-WAS-IFPM45181.pak"},{"DNLabel":"6.0.2.1-WS-WASBase-IFPM45181","DNDate":"6 Jun 2012","DNLang":"US English","DNSize":"6850","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.0.2.1-WS-WASBase-IFPM45181&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/6.0.2.1-WS-WASBase-IFPM45181.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM45181/6.0.2.1-WS-WASBase-IFPM45181.pak"},{"DNLabel":"6.1.0.0-WS-WAS-IFPM45181","DNDate":"6 Jun 2012","DNLang":"US English","DNSize":"14263","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.0-WS-WAS-IFPM45181&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/6.1.0.0-WS-WAS-IFPM45181.pak","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM45181/6.1.0.0-WS-WAS-IFPM45181.pak"},{"DNLabel":"8.0.0.0-WS-WASProd-IFPM45181","DNDate":"6 Jun 2012","DNLang":"US English","DNSize":"240291","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.0-WS-WASProd-IFPM45181&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/8.0.0.0-WS-WASProd-IFPM45181.zip","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM45181/8.0.0.0-WS-WASProd-IFPM45181.zip"},{"DNLabel":"8.0.0.2-WS-WASProd-IFPM45181","DNDate":"6 Jun 2012","DNLang":"US English","DNSize":"235552","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=8.0.0.2-WS-WASProd-IFPM45181&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/8.0.0.2-WS-WASProd-IFPM45181.zip","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM45181/8.0.0.2-WS-WASProd-IFPM45181.zip"},{"DNLabel":"7.0.0.11-WS-WAS-IFPM45181","DNDate":"10 Jul 2012","DNLang":"US English","DNSize":"175652","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=7.0.0.11-WS-WAS-IFPM45181&product=ibm%2FWebSphere%2FWebSphere+Application+Server&source=dbluesearch","DNURL_FTP":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM45181/7.0.0.11-WS-WAS-IFPM45181.zip","DDURL":"http://public.dhe.ibm.com:7618;sw_websphere;appserv/support/fixes/PM45181/7.0.0.11-WS-WAS-IFPM45181.zip"}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.0.0.2;8.0.0.1;8.0;7.0.0.9;7.0.0.7;7.0.0.5;7.0.0.3;7.0.0.21;7.0.0.19;7.0.0.17;7.0.0.15;7.0.0.13;7.0.0.11;7.0.0.1;7.0;6.1.0.9;6.1.0.7;6.1.0.5;6.1.0.41;6.1.0.39;6.1.0.37;6.1.0.35;6.1.0.33;6.1.0.31;6.1.0.3;6.1.0.29;6.1.0.27;6.1.0.25;6.1.0.23;6.1.0.21;6.1.0.2;6.1.0.19;6.1.0.17;6.1.0.15;6.1.0.14;6.1.0.13;6.1.0.11;6.1.0.1;6.1;6.0.2.9;6.0.2.8;6.0.2.7;6.0.2.6;6.0.2.5;6.0.2.43;6.0.2.41;6.0.2.4;6.0.2.39;6.0.2.37;6.0.2.35;6.0.2.33;6.0.2.31;6.0.2.3;6.0.2.29;6.0.2.27;6.0.2.25;6.0.2.23;6.0.2.21;6.0.2.2;6.0.2.19;6.0.2.17;6.0.2.15;6.0.2.13;6.0.2.11;6.0.2.1","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24032585