Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1135
IC93263: POSSIBLE UNAUTHENTICATED ACCESS WITH SOME KERBEROS AAA POLICIES
20 August 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere DataPower SOA Appliances
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg1IC93263
- --------------------------BEGIN INCLUDED TEXT--------------------
IC93263: POSSIBLE UNAUTHENTICATED ACCESS WITH SOME KERBEROS AAA POLICIES.
Document information
WebSphere DataPower SOA Appliances
General
Software version:
5.0.0
Reference #:
IC93263
Modified date:
2013-08-08
APAR status
Closed as program error.
Error description
An unauthenticated client might be granted access to resources
protected by an AAA policy when 'Validate a Kerberos AP-REQ for
the Correct
Server Principal' is selected as the authentication method. This
only affects policies that also utilize either the AAA
PostProcessing feature 'Include a WS-Security Kerberos AP-REQ
token' or have a Sign action using
store:///sign-kerberos-hmac-wssec.xsl configured with the same
server principal as the AAA authentication step.
Local fix
Validate that an APREQ is included in the request either as a
BinarySecurityToken or as a SPNEGO token before the AAA action.
Problem summary
Affected are users of Kerberos authentication in AAA.
Kerberos authentication in AAA can be bypassed in some
configurations that use message level Kerberos cryptography.
Problem conclusion
Fix is available in 4.0.2.14, 5.0.0.9 and 6.0.0.0.
For a list of the latest fix packs available, please see:
http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Temporary fix
Validate that an APREQ is included in the request either as a
BinarySecurityToken or as a SPNEGO token before the AAA action.
Comments
APAR Information
APAR number
IC93263
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-06-21
Closed date
2013-07-23
Last modified date
2013-08-08
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
R402 PSY
UP
R500 PSY
UP
R600 PSY
UP
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUhMKgBLndAQH1ShLAQKEzQ//WikajL2CVJT9vj6GBtMltu34ztYsUHTN
4dEyKIKlpvS/eOOXDq9JxWy9p0wB7C5AeZIQgr7+EKMgO34wCqKTEaPWfqcQXn2L
SIPsAU+e3c63pehYkzDTH+vHqapYWkIy340BzEj0hJ4GBjYX0tv4hFOjYRBrYHvq
Z4HbA0t2V6DAEoZTC/bz5cWoB4kD8zmlrSi+OkSZzzWZT91ZJHGTSJ3Ku6Gt/MfO
iA1nOrlPBLrHQvE81NMHjbnY63HI+cFhp5IospA/wtZAvQIC4zjJbm6yP5tMJ9NO
60+0otOka7GzlFMNRhTfvzOx/MCGThTbtp1O+gPzxiu9kdpkGFASTvBFY3uHTqc6
5YJdyyIjHDOJDB7dnLDbyjzRQhLZYtZRlYtNnZCiOKRSx5oo47XBtVAwiScoPmf+
lDdsMcyhhsEV4xfWXmFcwcJaH2/6A9Hu/Wc5IHLsaxycI4Z/+5wvoWfBwrHDoIXw
GbaunnS32C4KFMhp8MLuldU8hVZYYdc8DnrKESzLS4RGNnlBl6pZIXEKnG4oato1
QeiAx90qvLz1UVGAJqEJOeFCbS6skugHpMH8P1gy0FlZ5kW+87Bvp12sBrXaevJ6
HApYtwni3w6oLj5F6gSBF6dc/muS3v/XQswOuHcV4JRIpWLXcVADDaE0SkPaoOye
c0CAjslj1F8=
=a44q
-----END PGP SIGNATURE-----