Security Bulletin: Possible security exposure with WebSphere Application Server with WS-Security enabled applications using LTPA tokens (PM43585/PM43792/PM45181)

Summary

There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.

Vulnerability Details

WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC

Affected Products and Versions

CVE ID: CVE-2011-1377_
_
Versions affected:

• WebSphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43**.**
• WebSphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.

Versions not impacted:

• For JAX-WS Runtime:
• WebSphere Application Server Versions 8.0.0.2 and later, and 7.0.0.21 and later.
• WebShere Application Server Feature Pack for Web Services Versions 6.1.0.41 and later,
• For JAX-RPC Runtime:
• WebSphere Application Server Versions 8.0.0.3 and later, 7.0.0.23 and later, and 6.1.0.43 and later,
• CVSS:
  CVSS Base Score: 2.1
  CVSS Temporal Score: See_ http://xforce.iss.net/xforce/xfdb/71319 __ for the current score
  CVSS Environmental Score*: Undefined
  CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)_

Remediation/Fixes

Solution:

• For the JAX-WS runtime, apply both PM43585and PM43792, or a Fix Pack containing these APAR fixes, as noted below.
• For JAX-RPC runtime, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
• For WebSphere Application Server Versions 7 and 8, apply both PM43585and PM45181, or a Fix Pack containing both of these APAR fixes, as noted below.
• For WebSphere Application Server Version 6.1, apply PM45181, or a Fix Pack containing this APAR fix, as noted below.
• For WebSphere Application Server Feature Pack for Web Services Version 6.1, apply PM43792, or a Fix Pack containing this APAR as noted below.

For IBM WebSphere Application Server for distributed operating systems:

For Version 8.0.0.2:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply Fix Pack 3 (8.0.0.3), or later.

For Versions 8.0 to 8.0.0.1:

• Apply Interim Fix APAR PM43585 and Interim Fix APAR PM45181-OR-

• Apply Fix Pack 3 (8.0.0.3), or later.

For Version 7.0.0.21:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply Fix Pack 23 (7.0.0.23), or later.

For Versions 7.0 through 7.0.0.19:

• Apply Interim Fix APAR PM45181 and Interim Fix APAR PM43585-OR-

• Apply Fix Pack 23 (7.0.0.23), or later.

For Versions 6.1 through 6.1.0.41:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply Fix Pack 43 (6.1.0.43), or later.

• For Versions 6.0.2 through 6.0.2.43:

• Apply Interim Fix APAR PM45181
  Notes:

• Version 6.0.x is no longer in service (ended 29 September 2010).

• The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.

• For IBM WebSphere Application Server for IBM i operating systems:

For Version 8.0.0.2:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.

For Versions 8.0 to 8.0.0.1:

• Apply Interim Fix APAR PM43585 and Interim Fix APAR PM45181-OR-

• Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.

For Version 7.0.0.21:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.

For Versions 7.0 through 7.0.0.19:

• Apply Interim Fix APAR PM45181 and Interim Fix APAR PM43585-OR-

• Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.

For Versions 6.1 through 6.1.0.41:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply the WebSphere Application Server PTF group which includes Fix Pack 43, or later, according to the PTF group instructions.

For Versions 6.0.2 through 6.0.2.43:

• Apply Interim Fix APAR PM45181
  Notes:

• Version 6.0.x is no longer in service (ended 29 September 2010).

• The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.

For WebSphere Application Server for z/OS operating systems:

For Version 8.0.0.2:

• Apply Interim Fix APAR PM45181
  -OR-

• Apply Fix Pack 3 (8.0.0.3), or later.

For Versions 8.0 to 8.0.0.1:

• Apply Interim Fix APAR PM43585 and Interim Fix APAR PM45181-OR-

• Apply Fix Pack 3 (8.0.0.3), or later.

• For Version 7.0.0.21:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181

• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
  --OR–

• Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS

• For Versions 7.0 through 7.0.0.19:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM45181 and PM43585

• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
  -OR-

• Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS

For Versions 6.1 through 6.1.0.41:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181

• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
  --OR–

• Apply Fix Pack 6.1.0.43, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.

• For Versions 6.0.2 through 6.0.2.43:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181

• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
  Notes:

• V6.0 is no longer in service (ended 30 September 2010).

• Additional assistance will be only be provided with a valid support extension for this version.

• For WebSphere Application Server Feature Pack for Web Services for Distributed:

For 6.1.0.9 through 6.1.0.39:

• Apply Interim Fix APAR PM43792
  -OR-

• Apply Fix Pack 43 (6.1.0.43), or later.

• For WebSphere Application Server Feature Pack for Web Services for z/OS:

For 6.1.0.9 through 6.1.0.39:

• Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM43792

• Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
  -OR-

• Apply Fix Pack 43 (6.1.0.43), or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.