IBM Support

PM91521;6.1.0: POTENTIAL VULNERABILITY WHEN JAX-WS WS-SECURITY IS CONFIGURED FOR XML DIGITAL SIGNATURE

Download


Abstract

Potential vulnerability when JAX-WS WS-Security is configured for XML Digital Signature

Download Description

PM91521 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server users of WS-Security enabled JAX-WS web services and XML digital signature could experience improper checking of a certificate.

PROBLEM SUMMARY:
IBM WebSphere Application Server using WS-Security and configured for XML Digital Signature using trust store, could allow a network attacker to gain elevated privileges on the system, caused by improper checking of the certificate.

This issue applies to both the JAX-WS and JAX-RPC runtimes.

PROBLEM CONCLUSION:
The WS-Security runtime had been updated to fix this potential security vulerability.

This issue exists in IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services 6.1.0.13 through 6.1.0.45.

6.1.0.33-WS-WASWebSvc-IFPM91521.pak applies to 6.1.0.33 through 6.1.0.45.

This issue also exists in IBM WebSphere Application Server Version 6.0.2, 7.0, 8.0, and 8.5; it is fixed under APAR PM90949.

The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.47. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Readme","INLang":"US English","INSize":"7358","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM91521/readme.txt"}]
On
[{"DNLabel":"6.1.0.33-WS-WASWebSvc-IFPM91521","DNDate":"09-23-2013","DNLang":"US English","DNSize":"37264","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/quickorder?fixids=6.1.0.33-WS-WASWebSvc-IFPM91521&product=ibm%2FWebSphere%2FWebSphere%20Application%20Server&source=dbluesearch","DNURL_FTP":null,"DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.1.0.33;6.1.0.35;6.1.0.37;6.1.0.39;6.1.0.41;6.1.0.43;6.1.0.45","Edition":"Feature Pack for Web Services","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg24036300