IBM Support

Security Bulletin: Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181)

Security Bulletin


Summary

There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.

Vulnerability Details

WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC

Affected Products and Versions

CVE ID: CVE-2011-1377

Versions affected:

  • WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
  • WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

Versions not impacted:
  • For JAX-WS Runtime:
  • WebSphere Application Server Versions 8.0.0.2 and later, and 7.0.0.21 and later.
  • WebShere Application Server Feature Pack for Web Services Versions 6.1.0.41 and later,
  • For JAX-RPC Runtime:
  • WebSphere Application Server Versions 8.0.0.3 and later, 7.0.0.23 and later, and 6.1.0.43 and later,
CVSS:
CVSS Base Score: 2.1
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/71319 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)

Remediation/Fixes

Solution:

  • For the JAX-WS runtime, apply both PM43585 and PM43792, or a Fix Pack containing these APAR fixes, as noted below.
  • For JAX-RPC runtime, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
  • For WebSphere Application Server Versions 7 and 8, apply both PM43585 and PM45181, or a Fix Pack containing both of these APAR fixes, as noted below.
  • For WebSphere Application Server Version 6.1, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
  • For WebSphere Application Server Feature Pack for Web Services Version 6.1, apply PM43792, or a Fix Pack containing this APAR as noted below.


For IBM WebSphere Application Server for distributed operating systems:

For Version 8.0.0.2: -OR-
For Versions 8.0 to 8.0.0.1: -OR-
For Version 7.0.0.21: -OR-
For Versions 7.0 through 7.0.0.19: -OR-
For Versions 6.1 through 6.1.0.41: -OR- For Versions 6.0.2 through 6.0.2.43: Notes:
  • Version 6.0.x is no longer in service (ended 29 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For IBM WebSphere Application Server for IBM i operating systems:

For Version 8.0.0.2: -OR- For Versions 8.0 to 8.0.0.1: -OR-
For Version 7.0.0.21: -OR-
For Versions 7.0 through 7.0.0.19: -OR-
For Versions 6.1 through 6.1.0.41: -OR-
For Versions 6.0.2 through 6.0.2.43: Notes:
  • Version 6.0.x is no longer in service (ended 29 September 2010).
  • The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.

For WebSphere Application Server for z/OS operating systems:

For Version 8.0.0.2: -OR-
  • Apply Fix Pack 3 (8.0.0.3), or later.
For Versions 8.0 to 8.0.0.1: -OR-
  • Apply Fix Pack 3 (8.0.0.3), or later.
For Version 7.0.0.21:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
--OR-- For Versions 7.0 through 7.0.0.19:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM45181 and PM43585
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
-OR-
For Versions 6.1 through 6.1.0.41:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
--OR-- For Versions 6.0.2 through 6.0.2.43:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
Notes:
  • V6.0 is no longer in service (ended 30 September 2010).
  • Additional assistance will be only be provided with a valid support extension for this version.
For WebSphere Application Server Feature Pack for Web Services for Distributed:

For 6.1.0.9 through 6.1.0.39: -OR-
  • Apply Fix Pack 43 (6.1.0.43), or later.
For WebSphere Application Server Feature Pack for Web Services for z/OS:

For 6.1.0.9 through 6.1.0.39:
  • Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM43792
  • Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
-OR-

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.0;7.0;6.1;6.0.2","Edition":"Base;Developer;Express;Feature Pack for Web Services;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":null,"Platform":[{"code":"PF035","label":"z\/OS"},{"code":"","label":"OS\/390"}],"Version":"8.0;7.0;6.1;6.0.2","Edition":"Feature Pack for Web Services","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21587536