10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identity of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS and JAX-RPC
CVE ID: CVE-2011-1377_
_
Versions affected:
Versions not impacted:
Solution:
For IBM WebSphere Application Server for distributed operating systems:
For Version 8.0.0.2:
Apply Interim Fix APAR PM45181
-OR-
Apply Fix Pack 3 (8.0.0.3), or later.
For Versions 8.0 to 8.0.0.1:
Apply Interim Fix APAR PM43585 and Interim Fix APAR PM45181-OR-
Apply Fix Pack 3 (8.0.0.3), or later.
For Version 7.0.0.21:
Apply Interim Fix APAR PM45181
-OR-
Apply Fix Pack 23 (7.0.0.23), or later.
For Versions 7.0 through 7.0.0.19:
Apply Interim Fix APAR PM45181 and Interim Fix APAR PM43585-OR-
Apply Fix Pack 23 (7.0.0.23), or later.
For Versions 6.1 through 6.1.0.41:
Apply Interim Fix APAR PM45181
-OR-
Apply Fix Pack 43 (6.1.0.43), or later.
For Versions 6.0.2 through 6.0.2.43:
Apply Interim Fix APAR PM45181
Notes:
Version 6.0.x is no longer in service (ended 29 September 2010).
The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For IBM WebSphere Application Server for IBM i operating systems:
For Version 8.0.0.2:
Apply Interim Fix APAR PM45181
-OR-
Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.
For Versions 8.0 to 8.0.0.1:
Apply Interim Fix APAR PM43585 and Interim Fix APAR PM45181-OR-
Apply the WebSphere Application Server PTF group which includes Fix Pack 3, or later, according to the PTF group instructions.
For Version 7.0.0.21:
Apply Interim Fix APAR PM45181
-OR-
Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.
For Versions 7.0 through 7.0.0.19:
Apply Interim Fix APAR PM45181 and Interim Fix APAR PM43585-OR-
Apply the WebSphere Application Server PTF group which includes Fix Pack 23, or later, according to the PTF group instructions.
For Versions 6.1 through 6.1.0.41:
Apply Interim Fix APAR PM45181
-OR-
Apply the WebSphere Application Server PTF group which includes Fix Pack 43, or later, according to the PTF group instructions.
For Versions 6.0.2 through 6.0.2.43:
Apply Interim Fix APAR PM45181
Notes:
Version 6.0.x is no longer in service (ended 29 September 2010).
The purchase of a support extension may be required, if additional assistance is needed, unless otherwise entitled to support.
For WebSphere Application Server for z/OS operating systems:
For Version 8.0.0.2:
Apply Interim Fix APAR PM45181
-OR-
Apply Fix Pack 3 (8.0.0.3), or later.
For Versions 8.0 to 8.0.0.1:
Apply Interim Fix APAR PM43585 and Interim Fix APAR PM45181-OR-
Apply Fix Pack 3 (8.0.0.3), or later.
For Version 7.0.0.21:
Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
--OR–
Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
For Versions 7.0 through 7.0.0.19:
Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request ++APARs for PM45181 and PM43585
Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed
-OR-
Apply Fix Pack 7.0.0.23, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS
For Versions 6.1 through 6.1.0.41:
Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
--OR–
Apply Fix Pack 6.1.0.43, or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.
For Versions 6.0.2 through 6.0.2.43:
Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM45181
Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
Notes:
V6.0 is no longer in service (ended 30 September 2010).
Additional assistance will be only be provided with a valid support extension for this version.
For WebSphere Application Server Feature Pack for Web Services for Distributed:
For 6.1.0.9 through 6.1.0.39:
Apply Interim Fix APAR PM43792
-OR-
Apply Fix Pack 43 (6.1.0.43), or later.
For WebSphere Application Server Feature Pack for Web Services for z/OS:
For 6.1.0.9 through 6.1.0.39:
Open a Problem Management Record (PMR) with IBM WebSphere Application Server support to request a ++APAR for PM43792
Please include, in the PMR, your WebSphere Application Server Fix Pack level, as well as any additional ++APARs and Feature Packs that you have installed.
-OR-
Apply Fix Pack 43 (6.1.0.43), or later, at APAR/PTF Tables by version for IBM WebSphere Application Server for z/OS.