Vigil@nce - WebSphere AS: obtaining LTPA token with JAX-RPC
July 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can obtain the LTPA token of another
user of a WebSphere Application Server application with JAX-RPC
and WS-Security enabled.
Severity: 2/4
Creation date: 05/07/2012
IMPACTED PRODUCTS
– IBM WebSphere Application Server
DESCRIPTION OF THE VULNERABILITY
The JAX-RPC (Java API for XML-based RPC) API is used by a Java
application to invoke a web service.
The LTPA (Lightweight Third-Party Authentication) technology is
used to process the authentication of IBM products.
However, in same cases, when a user authenticates to an
application using JAX-RPC, WS-Security can assign the identity of
the previous LTPA token to the current user.
An authenticated attacker can therefore obtain the LTPA token of
another user of a WebSphere Application Server application with
JAX-RPC and WS-Security enabled, so he can access to his data.
This vulnerability has the same origin than VIGILANCE-VUL-11089
(https://vigilance.fr/tree/1/11089).
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WebSphere-AS-obtaining-LTPA-token-with-JAX-RPC-11745