CVE-2009-0903

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server versions 7.0.0 through 7.0.0.2 IBM WebSphere Application Server Feature Pack for Web Services versions 6.1.0 through 6.1.0.24

Description The issue arises when a WS-Security policy is established at the operation level, and the system fails to properly handle inbound requests lacking a SOAPAction or WS-Addressing Action. This allows remote attackers to bypass intended access restrictions by sending a crafted request to a JAX-WS application.

Recommendations For IBM WebSphere Application Server versions 7.0.0 through 7.0.0.2, update to version 7.0.0.3 or later. For IBM WebSphere Application Server Feature Pack for Web Services versions 6.1.0 through 6.1.0.24, update to version 6.1.0.25 or later.