PK19195; 5.1.1.8: a corrupt token will allow login on Solaris
 Downloadable files
 
Abstract
A manipulated LTPA token from subjects credential will allow to gain access to an EJB after login in Solaris.
 
Download Description
PK19195 resolves the following problem:

ERROR DESCRIPTION:
If an application gets the LTPA token from subjects credential, then manipulates the token and attempts to log in with that token, on Solaris platform that token can be used to gain access to an EJB.

LOCAL FIX:

PROBLEM SUMMARY

USERS AFFECTED:
All WebSphere Application Server users who have enabled security and are using LTPA authentication method.

PROBLEM DESCRIPTION:
A manipulated LTPA token from subjects credential will allow to gain access to an EJB after login in Solaris.

RECOMMENDATION:
None

An application that logs in, gets the token from subjects credential, then manipulates the token and attempts to log in with that token. On the Solaris platform the token can be used to gain access to an EJB.

PROBLEM CONCLUSION:
The corrupted token signature was found to be invalid, a flag for isValid was false, but token constructor worked anyway. The code is fixed to throw an exception if isValid is false.

There is no Service pack palanned for 5.0.1, 5.1.0, 6.0 and 6.0.1 releases.
The fix for this APAR is currently targeted for inclusion in fixpack 5.0.2.17 and 5.1.1.10. Please refer to the

Please refer to the Recommended Updates page for delivery dates:
http://www.ibm.com/support/docview.wss?&context=SSEQTP&uid=swg27004980
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 5102
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PK19195_502_fix 02-07-2006 US English 5826 FTP DD
PK19195_5114_fix 02-07-2006 US English 11464 FTP DD
PK19195_501_fix 2/20/2006 US English 5828 FTP DD
PK19195_510_fix 2/20/2006 US English 5875 FTP DD
PK19195.6.0-WS-WAS-IF0000001 2/20/2006 US English 16384 FTP DD
PK19195.6.0.1-WS-WAS-IF0000001 2/20/2006 US English 13942 FTP DD
 
Technical support
Contact IBM Support using ESR (http://www-306.ibm.com/software/support/probsub.html), visit the WebSphere Application Server Support Web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PK19195
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Solaris
Software version: 5.1.1.8
Software edition:
Reference #: 4011685
IBM Group: Software Group
Modified date: Mar 2, 2006