Breaking IBM WebSphere Authentication by Abusing Crypto Flaws in LTPA Tokens

Secura's Tom Tervoort discovered two common vulnerabilities and exposures (CVE's) in IBMs WebSphere Authentication. The vulnerabilities are related to the LTPA2 token, a popular type of token in use in IBM Websphere Liberty. He recommends to install IBM's patches right away, and if possible, avoid LTPA tokens for new applications. Download the whitepaper here:

Download the whitepaper here >

Tokens are a modern way of sharing authentication credentials between web services. Cryptographic protocols are meant to protect such tokens, but as we know, cryptography is hard. During his research Tom discovered two CVE's regarding authentication bypasses and privilege escalations.

Install the patches right away

The vulnerabilities have been responsibly disclosed to IBM, which have resulted in patches. If you have an application that uses WebSphere Liberty or Open Liberty and (might) use LTPA authentication, we recommend you install these patches right away.

In general, Tom would recommend against using LTPA tokens for new applications: the underlying cryptography does not follow best practices and these attacks have shown that the complexity of the protocol is sensitive to implementation errors. In this white paper, he presents the technical details.

White papers

Breaking IBM WebSphere Authentication by Abusing Crypto Flaws in LTPA Tokens

Download white paper file_download
Tom T

About the Author

Tom Tervoort is Principal Security Specialist at Secura. He has been working at the company since 2016. Tom is experienced in various technical security assessments, and performs vulnerability research with a focus on cryptographic systems. He has won the 2020 Pwnie Award for best cryptographic attack for his discovery of the Zerologon vulnerability.

Contact Us for More Information

To discover vulnerabilities in your systems, Secura offers a range of services. To learn more, fill out the form below, and an expert will contact you within one business day.