CVE-2009-0891

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server versions 6.0.2 through 6.0.2.32 IBM WebSphere Application Server versions 6.1 through 6.1.0.22 IBM WebSphere Application Server versions 7.0 through 7.0.0.0

Description The issue is related to the Web Services Security component, which does not properly enforce nonce and timestamp expiration values in WS-Security bindings. This allows remote authenticated users to conduct session hijacking attacks.

Recommendations For IBM WebSphere Application Server versions 6.0.2 through 6.0.2.32, apply Fix Pack 33 (6.0.2.33) to resolve the issue. For IBM WebSphere Application Server versions 6.1 through 6.1.0.22, apply Fix Pack 23 (6.1.0.23) to resolve the issue. For IBM WebSphere Application Server versions 7.0 through 7.0.0.0, apply Fix Pack 1 (7.0.0.1) to resolve the issue.