Fix (APAR): PM90949 Status: Fix Release: 8.0.0.7,8.0.0.6,8.0.0.5,8.0.0.4,8.0.0.3 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows Supersedes Fixes: CMVC Defect: PM90949 Byte size of APAR: 639313 Date: 2013-10-16 Abstract: Potential vulnerability in WS-Security with XML Digital Signatures Description/symptom of problem: PM90949 resolves the following problem: ERROR DESCRIPTION: IBM WebSphere Application Server users of WS-Security enabled JAX-WS and JAX-RPC web services and XML digital signature could experience improper checking of a certificate. PROBLEM SUMMARY: IBM WebSphere Application Server using WS-Security and configured for XML Digital Signature using trust store, could allow a network attacker to gain elevated privileges on the system, caused by improper checking of the certificate. This issue applies to both the JAX-WS and JAX-RPC runtimes. PROBLEM CONCLUSION: The WS-Security runtime had been updated to fix this potential security vulerability. This issue exists in IBM WebSphere Application Server 6.0.2.0 through 6.0.2.43, 6.1.0.0 through 6.1.0.45, 7.0.0.0 through 7.0.0.29, 8.0.0.0 through 8.0.0.7, and 8.5.0.0 through 8.5.0.2 and 8.5.5.0. This issue also exists in IBM WebSphere Application Server Version 6.1 Feature Pack for Web Services 6.1.0.13 through 6.1.0.45; it is fixed under APAR PM91521. The following ifixes exist: 6.0.2.43-WS-WAS-IFPM90949.pak applies to 6.0.2.43 6.1.0.33-WS-WAS-IFPM90949.pak applies to 6.1.0.33 through 6.1.0.45 7.0.0.23-WS-WAS-IFPM90949.pak applies to 7.0.0.23 through 7.0.0.27 7.0.0.29-WS-WAS-IFPM90949.pak applies to 7.0.0.29 8.0.0.3-WS-WASProd-IFPM90949.zip applies to 8.0.0.3 through 8.0.0.5 8.0.0.6-WS-WASProd-IFPM90949.zip applies to 8.0.0.6 through 8.0.0.7 8.5.0.1-WS-WASProd-IFPM90949.zip applies to 8.5.0.1 8.5.0.2-WS-WASProd-IFPM90949.zip applies to 8.5.0.2 8.5.5.0-WS-WASProd-IFPM90949.zip applies to 8.5.5.0 The fix for this APAR is currently targeted for inclusion in fix pack 6.1.0.47, 7.0.0.31, 8.0.0.8, and 8.5.5.1. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Fix applies to Editions: Release 8.0 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: