Fix (APAR): PK61315 Status: Fix Release: 6.1.0.9,6.1.0.3,6.1.0.15 Operating System: AIX,HP-UX,i5/OS,Linux,Linux pSeries,OS/400,Solaris,Windows Supersedes Fixes: PK34383 PK41002 PK41710 PK42833 PK54942 PK59201 CMVC Defect: 497656 Byte size of APAR: 2873764 Date: 2008-04-30 Abstract: The handling of a certain attribute within the SOAP security header could potentially create a security exposure in ws-security enabled web services applications. Description/symptom of problem: PK61315 resolves the following problem: ERROR DESCRIPTION: There is a possible security exposure with the handling of a certain attribute within the web services SOAP security header. LOCAL FIX: PROBLEM SUMMARY USERS AFFECTED: WebSphere Application Server version 6 administrators of ws-security enabled web services providers PROBLEM DESCRIPTION: There is a possible security exposure with the handling of a certain attribute within the web services SOAP security header. RECOMMENDATION: None PROBLEM CONCLUSION: The handling of the attribute has been improved to remove this possible exposure. Applying APAR PK61315, or a Fix Pack containing this APAR, resolves this issue. The fix for this APAR is currently targeted for inclusion in fixpack 6.0.2.29 and 6.1.0.17. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: NOTE: Choose the: 1) Release the fix applies to 2) The Editions that apply 3) Delete the Editions & Methods that do not apply and this Note Fix applies to Editions: Release 6.1 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) Install Fix to: Method: _x_ Application Server Nodes NOTE: The user must: * Have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V6.0.2.2 or newer of the Update Installer. This can be checked by reviewing the level of the Update Installer in file /updateinstaller/version.txt. The Update Installer can be downloaded from the following link: http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991 For detailed instructions to Extract the Update Installer see the following Technote: http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg21205400 1) Copy the pak file that is appropriate for your install base directly to the maintenance directory: For WebSphere installations that ARE NOT WebSphere Application Server Version 6.1 Feature Pack for Web Services: For 6.1.0.3, use: 6.1.0.3-WS-WAS-IFPK61315.pak For 6.1.0.9, use: 6.1.0.9-WS-WAS-IFPK61315.pak For 6.1.0.15, use: 6.1.0.15-WS-WAS-IFPK61315.pak For WebSphere installation that ARE WebSphere Application Server Version 6.1 Feature Pack for Web Services: For 6.1.0.15, use: 6.1.0.15-WS-WASWebSvc-IFPK61315.pak NOTE: If 6.1.0.15-WS-WASWebSvc-IFPK61315.pak has been installed, it is important that it be uninstalled before a new WebSphere Application Server 6.1 base fixpack is installed. The update installer WILL NOT prevent the installation of the fixpack if 6.1.0.15-WS-WASWebSvc-IFPK61315.pak is installed. If 6.1.0.15-WS-WASWebSvc-IFPK61315.pak is uninstalled after a new WebSphere Application Server 6.1 base fixpack has been applied, the WS-Security runtime within the application server will not be operational. 2) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that maintenance is being applied to. 3) Launch Update Installer 4) Enter the installation location of the WebSphere product you want to update. 5) Select the "Install maintenance package" operation. 6) Enter the file name of the maintenance package to install that is appropriate for your install base (the file that was copied to the maintenance directory in step #1). 7) Install the maintenance package. 8) Restart WebSphere Directions to remove fix: NOTE: * The user must have Administrative rights in Windows, or be the Actual Root User in a UNIX environments. * FIXES MUST BE REMOVED IN THE ORDER THEY WERE APPLIED * DO NOT REMOVE A FIX UNLESS ALL FIXES APPLIED AFTER IT HAVE FIRST BEEN REMOVED * YOU MAY REAPPLY ANY REMOVED FIX Example: If your system has fix1, fix2, and fix3 applied in that order and fix2 is to be removed, fix3 must be removed first, fix2 removed, and fix3 re-applied. 1) Shutdown WebSphere Manually execute setupCmdLine.bat in Windows or . ./setupCmdLine.sh in Unix from the WebSphere instance that uninstall is being run against. 2) Start Update Installer 3) Enter the installation location of the WebSphere product you want to remove the fix. 4) Select "Uninstall maintenance package" operation. 5) Enter the name fix to uninstall (PK61315). 6) UnInstall maintenance package. 7) Restart WebSphere Directions to re-apply fix: 1) Shutdown WebSphere. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere. Additional Information: