=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN224
_____________________________________________________________________

DATE                      : 21/06/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running IBM WebSphere Application Server version 7.x,
                             IBM WebSphere Application Server Feature Pack for Web Services
                                               versions 6.1.0.9 up to and including 6.1.0.32,
                             IBM WebSphere Application Server Feature Pack for Web 2.0 Version 1.0.1.0.

======================================================================
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
______________________________________________________________________

Potential security exposure with IBM WebSphere Application Server with JAX-WS
or JAX-RS (PM14844, PM14847, PM14765)

Flash (Alert)

Abstract
Potential risk when using Web Services on WebSphere Application Server

Content

Versions affected:

IBM WebSphere Application Server Versions 7.0 through 7.0.0.12, Feature Pack
for Web Services Versions 6.1.0.9 through 6.1.0.32, and Feature Pack for Web
2.0 Version 1.0.1.0 are affected.

IBM WebSphere Application Server Versions 6.1, and earlier releases, are not
affected. However, note that the Feature Pack for Web Services Versions 6.1.0.9
through 6.1.0.32 are affected.

Problem description:
The web services run-time might allow an attacker to cause a denial of service
or remotely read arbitrary files on the file system where the run-time is
installed. This vulnerability might potentially be exploited on any
installation that receives XML messages from untrusted sources. This
vulnerability was originally reported by the Apache community's Axis2 project
in security advisory CVE-2010-1632.

Solutions:

For IBM WebSphere Application Server for Distributed Platforms:

      For V7.0 through 7.0.0.11:
          o Apply Fix Pack 3 (7.0.0.3), or later, if not already at this level,
            then
          o Apply Interim Fix APAR PM14844
            --OR--
          o Install Fix Pack 13 (7.0.0.13), or later (targeted to be available
            October 2010).

For IBM WebSphere Application Server for i5/OS Platforms:

      For V7.0 through 7.0.0.11:
          o Apply Fix Pack 3 (7.0.0.3), or later, if not already at this level,
            then
          o Apply Interim Fix APAR PM14844
            --OR--
          o Apply the WebSphere Application Server PTF group which includes Fix
            Pack 13 (7.0.0.13), or later, (targeted to be available October
            2010), according to the PTF group instructions.

For IBM WebSphere Application Server for z/OS Platforms:

      For V7.0 through 7.0.0.12:
          o Apply APAR PM14844 by way of the appropriate PTFs for 7.0.0.13 or
            later (targeted to be available November 2010).

For IBM WebSphere Application Server Feature Pack for Web Services:

      For V6.1.0.9 through 6.1.0.32:
          o Apply Fix Pack 27 (6.1.0.27), or later, if not already at this
            level, then
          o Apply Interim Fix APAR PM14847
            --OR--
          o Install Fix Pack 33 (6.1.0.33), or later (targeted to be available
            September 2010).

For IBM WebSphere Application Server Feature Pack for Web 2.0:

      For Version 1.0.1.0:
          o Apply Interim Fix APAR PM14765 (targeted to be available 22 June
            2010).
            --OR--
          o Install Web 2.0 Feature Pack Fix Pack 1 (1.0.1.1), or later
            (targeted to be available November 2010).

Additional documentation:
For additional details and information on WebSphere Application Server product
updates:

    * For Distributed, see Recommended fixes for WebSphere Application Server.
    * For i5/OS, see WebSphere Application Server for i5/OS.
    * For z/OS, see WebSphere Application Server for z/OS

Cross Reference information
Segment 	Application Servers	
Product 	WebSphere Application Server for z/OS	
Component 	Web Services(for example: SOAP or UDDI or WSGW/WSIF)	
Platform 	z/OS, OS/390
Version 	7.0.0.9, 7.0.0.8, 7.0.0.7, 7.0.0.5, 7.0.0.4, 7.0.0.3, 7.0.0.1,
		7.0
Edition		Feature Pack for Web 2.0, Feature Pack for Web Services

Segment		Application Servers
Product 	WebSphere Application Server Hypervisor Edition
Component 	Web Services(for example: SOAP or UDDI or WSGW/WSIF)
Platform 	AIX, Linux
Version 	7.0
Edition		All Editions			
					

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================