Potential vulnerability when JAX-WS WS-Security is configured for XML Digital Signature
PM91521 resolves the following problem:
IBM WebSphere Application Server users of WS-Security enabled JAX-WS web services and XML digital signature could experience improper checking of a certificate.
IBM WebSphere Application Server using WS-Security and configured for XML Digital Signature using trust store, could allow a network attacker to gain elevated privileges on the system, caused by improper checking of the certificate.
This issue applies to both the JAX-WS and JAX-RPC runtimes.
The WS-Security runtime had been updated to fix this potential security vulerability.
This issue exists in IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services 220.127.116.11 through 18.104.22.168.
22.214.171.124-WS-WASWebSvc-IFPM91521.pak applies to 126.96.36.199 through 188.8.131.52.
This issue also exists in IBM WebSphere Application Server Version 6.0.2, 7.0, 8.0, and 8.5; it is fixed under APAR PM90949.
The fix for this APAR is currently targeted for inclusion in fix pack 184.108.40.206. Please refer to the Recommended Updates page for delivery information:
Please download the UpdateInstaller below to install this fix.
Please review the readme.txt for detailed installation instructions.
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Was this topic helpful?
15 June 2018