Security Bulletin
Summary
There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
Vulnerability Details
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC
Affected Products and Versions
CVE ID: CVE-2011-1377
Versions affected:
- WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
- WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.
Versions not impacted:
- For JAX-WS Runtime:
- WebSphere Application Server Versions 8.0.0.2 and later, and 7.0.0.21 and later.
- WebShere Application Server Feature Pack for Web Services Versions 6.1.0.41 and later,
- For JAX-RPC Runtime:
- WebSphere Application Server Versions 8.0.0.3 and later, 7.0.0.23 and later, and 6.1.0.43 and later,
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/71319 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
Remediation/Fixes
Solution:
- For the JAX-WS runtime, apply both PM43585 and PM43792, or a Fix Pack containing these APAR fixes, as noted below.
- For JAX-RPC runtime, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
- For WebSphere Application Server Versions 7 and 8, apply both PM43585 and PM45181, or a Fix Pack containing both of these APAR fixes, as noted below.
- For WebSphere Application Server Version 6.1, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
- For WebSphere Application Server Feature Pack for Web Services Version 6.1, apply PM43792, or a Fix Pack containing this APAR as noted below.
For IBM WebSphere Application Server for distributed operating systems:
For Version 8.0.0.2:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 3 (8.0.0.3), or later.
For Versions 8.0 to 8.0.0.1: -OR-
- Apply Fix Pack 3 (8.0.0.3), or later.
For Version 7.0.0.21:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 23 (7.0.0.23), or later.
For Versions 7.0 through 7.0.0.19: -OR-
- Apply Fix Pack 23 (7.0.0.23), or later.
For Versions 6.1 through 6.1.0.41:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 43 (6.1.0.43), or later.
- Apply Interim Fix APAR PM45181
- Version 6.0.x is no longer in service (ended 29 September 2010).
- The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For Version 8.0.0.2:
- Apply Interim Fix APAR PM45181
- Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.
- Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.
For Version 7.0.0.21:
- Apply Interim Fix APAR PM45181
- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.
For Versions 7.0 through 7.0.0.19: -OR-
- Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.
For Versions 6.1 through 6.1.0.41:
- Apply Interim Fix APAR PM45181
- Apply the WebSphere Application Server PTF group which includes Fix Pack 43, or later, according to the PTF group instructions.
For Versions 6.0.2 through 6.0.2.43:
- Apply Interim Fix APAR PM45181
- Version 6.0.x is no longer in service (ended 29 September 2010).
- The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For WebSphere Application Server for z/OS operating systems:
For Version 8.0.0.2:
- Apply Interim Fix APAR PM45181
- Apply Fix Pack 3 (8.0.0.3), or later.
- Apply Fix Pack 3 (8.0.0.3), or later.
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
- Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM45181 and PM43585
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
- Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
For Versions 6.1 through 6.1.0.41:
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
- Apply Fix Pack 6.1.0.43, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
- V6.0 is no longer in service (ended 30 September 2010).
- Additional assistance will be only be provided with a valid support extension for this version.
For 6.1.0.9 through 6.1.0.39:
- Apply Interim Fix APAR PM43792
- Apply Fix Pack 43 (6.1.0.43), or later.
For 6.1.0.9 through 6.1.0.39:
- Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM43792
- Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
- Apply Fix Pack 43 (6.1.0.43), or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21587536