PH34711: Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)

Download

Downloadable File

File link	File size	File description

Abstract

Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)

Download Description

This interim fix is superseded by a later interim fix
This interim fix is superseded by the interim fix for APAR PH43113. Download and install the interim fix for PH43113 to resolve this APAR.

View the Security Bulletin

PH34711 resolves the following problem:

ERROR DESCRIPTION:
Vulnerability in Apache MyFaces affects WebSphere Application Server (CVE-2021-26296 CVSS 8.8)

LOCAL FIXES:

There are no local fixes for users of JSF on WebSphere v8.0, WebSphere v8.5.5, or the jsf-2.0 feature on Liberty.

Context parameters can be configured in the web.xml file as a local fix for the following users:

Users of the jsf-2.2 and jsf-2.3 features on WebSphere Liberty
Users of JavaServer Faces (JSF) on WebSphere v9

Context parameters:

"org.apache.myfaces.RANDOM_KEY_IN_VIEW_STATE_SESSION_TOKEN=secureRandom" "org.apache.myfaces.RANDOM_KEY_IN_CSRF_SESSION_TOKEN=secureRandom"

More context parameter can be configured in the web.xml file as a local fix for the following users:

Users of the sf-2.3 feature on WebSphere Liberty

Context parameter:

"org.apache.myfaces.RANDOM_KEY_IN_WEBSOCKET_SESSION_TOKEN=secureRandom"

PROBLEM CONCLUSION:
Confidential for CVE-2021-26296.

The fix for this APAR is targeted for inclusion in fix packs 8.5.5.20, 9.0.5.8, and Liberty 21.0.0.4.

Refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

This interim fix is superseded by a later interim fix
This interim fix is superseded by the interim fix for APAR PH43113. Download and install the interim fix for PH43113 to resolve this APAR.

Prerequisites

None

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd04AAC","label":"Java Server Faces JSF"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"20.0.0;21.0.0;8.0.0;8.5.5;9.0.0;9.0.5"}]

Problems (APARS) fixed
PH34711

Was this topic helpful?

Document Information

Modified date:
08 March 2022

UID

ibm16441083

Tips