Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
Block class loads for vulnerable classes
Download Description
PH42759 resolves the following problem:
ERROR DESCRIPTION:
ERROR DESCRIPTION:
Allow application class loaders to block class loads of classes with known security vulnerabilities
USERS AFFECTED:
All users of IBM WebSphere Application Server
PROBLEM DESCRIPTION:
Security-compromised classes can be loaded by the WebSphere Application Server application and library class loaders.
PROBLEM SUMMARY:
Applications deployed to WebSphere Application Server may run versions of Log4j2 that are affected by the Log4Shell (CVE-2021-44228) vulnerability.
This APAR updates the WebSphereApplication Server application, shared library, and extension class loaders to block the loading of the
org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability.
org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability.
IBM recommends customers analyze their applications for use of Log4j2 with urgency; in the meantime this fix may help mitigate Log4Shell and other vulnerabilities related to that class.
This APAR will not protect in cases where the Log4j2 classes have been renamed (a process known as "shading") or if Log4j2 is loaded from non-WAS class loaders (for example Java system class loaders or user-created class loaders). This fix is provided for customers to assist in creating a holistic deep defense against Log4Shell.
PROBLEM CONCLUSION:
Blocking of class loads for org.apache.logging.log4j.core.lookup.JndiLookup was added to the WebSphere application, shared library, and extension class loaders.
PROBLEM CONCLUSION:
Blocking of class loads for org.apache.logging.log4j.core.lookup.JndiLookup was added to the WebSphere application, shared library, and extension class loaders.
Note: The fixes below currently link to the fix for superseding APAR PH42899 for WebSphere traditional.
The original installable interim fix for this APAR (PH42759) could cause unintended problems with slf4j that PH42899 corrects.
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21, 9.0.5.11 and 22.0.0.1.
For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21, 9.0.5.11 and 22.0.0.1.
For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Prerequisites
None
Installation Instructions
Review the readme.txt for detailed installation instructions.
| URL | SIZE(Bytes) |
|---|---|
| V85 readme file | 3906 |
| V90 readme file | 3739 |
Download Package
|
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.
|
Note: The fixes below currently link to the fix for superseding APAR PH42899 for WebSphere traditional.
The original installable interim fix for this APAR (PH42759) could cause unintended problems with slf4j that PH42899 corrects.
| DOWNLOAD | RELEASE DATE | SIZE(Bytes) | Applicable Fix Packs |
DOWNLOAD Options |
|---|---|---|---|---|
| 9.0.5.3-WS-WAS-IFPH42899 | 18 December 2021 | 300413 | 9.0.5.3 through 9.0.5.5 | FC |
| 9.0.5.6-WS-WAS-IFPH42899 | 18 December 2021 | 303151 | 9.0.5.6 through 9.0.5.10 | FC |
| 8.5.5.16-WS-WAS-IFPH42899 | 18 December 2021 | 302850 | 8.5.5.16 through 8.5.5.20 | FC |
| 21.0.0.12-ws-wlp-ifph42759.zip | 15 December 2021 | 1662561 | 21.0.0.12 IM | FC |
| 210012-wlp-archive-ifph42759.jar | 15 December 2021 | 1600448 | 21.0.0.12 Archive | FC |
| 21.0.0.9-ws-wlp-ifph42759.zip | 15 December 2021 | 1659830 | 21.0.0.9 IM | FC |
| 21009-wlp-archive-ifph42759.jar | 15 December 2021 | 1597881 | 21.0.0.9 Archive | FC |
Problems Solved
PH42759
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;8.5.5.20;9.0.5.10;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7;9.0.5.8;9.0.5.9","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
18 December 2021
UID
ibm16526824