IBM Support

PH43148:IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)

Download


Downloadable File

File link File size File description

Abstract

IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)

Download Description

View the Security Bulletin

PH43148 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
 The APAR for this issue that applies to WebSphere Liberty is PH43817.
PROBLEM SUMMARY:
IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)
APARS INCLUDED:
PH42762: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-4104 CVSS 8.1, CVE-2021-45046 CVSS 9.0)
PH42728: Vulnerability in Apache Log4j affects WebSphere Application Server (CVE-2021-44228 CVSS 10.0)
PH38485: Unable to configure logging parameters on the admin console
PH34122: Vulnerability in Dojo affects WebSphere Application Server (CVE-2020-5258 CVSS Score 7.5)
PH37034: Update the version of Log4j contained in the installable UDDI.ear application
PI97162: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI
PROBLEM CONCLUSION:
Confidential for CVE-2021-23450.
Note: Since PH42762 removes Apache Log4j from WebSphere Application Server, when a fix packaged to address PH43148 is installed, Apache Log4j is also removed from WebSphere Application Server.
ADDITIONAL STEPS:

No more steps are required for WebSphere Application Server Base. 

  If you are running WebSphere Application Server Network Deployment, more steps might be required for your deployment manager profiles.

Procedure:

After this interim fix is applied, perform the following steps on each of your WebSphere Application Server Network Deployment deployment manager profiles:

  1. Check whether the dojo.zip file exists within the deployment manager profile directory:
    (washome)/profiles/(dmgrprofile)/config/cells/(cellname)/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/dojo.zip
    • If the dojo.zip file does not exist within a deployment manager profile, no additional steps are required for that profile.
  2. If the dojo.zip file does exist within a deployment manager profile, run the following command from the (WAS_HOME)/bin directory:
    • Windows
      IBM i      		 wsadmin -lang jython -c "AdminApp.update('isclite', 'file', '[-operation update -contents (WAS_HOME)/systemApps/isclite.ear/isclite.war/WEB-INF/dojo.zip -contenturi isclite.war/WEB-INF/dojo.zip]')"
      Unix ./wsadmin.sh -lang jython -c "AdminApp.update('isclite', 'file', '[-operation update -contents (WAS_HOME)/systemApps/isclite.ear/isclite.war/WEB-INF/dojo.zip -contenturi isclite.war/WEB-INF/dojo.zip]')"
    • Replace (WAS_HOME) with the installation root directory of your deployment manager.
    • If security is enabled on your deployment manager, you can add the following parameters to prevent a dialog requesting admin credentials from appearing:
      -username (userName) -password (password)
  • The presence of the dojo.zip file depends on how the profile was initially created.  If it was created with the Profile Management Tool with the Cell (deployment manager and federated application server) selection, the dojo.zip file will exist in your deployment manager profile.
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.22 and 9.0.5.12.

For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Download the UpdateInstaller to install this fix for 7.0.
Readme files
URL SIZE (Bytes)
UpdateInstaller 7250000

Installation Instructions

Review the readme.txt for detailed installation instructions.
Readme files
URL SIZE (Bytes)
V90 readme file 3761
V85 readme file 3896
V80 readme file 3780
V70 readme file 6476

Download Package

Important note: WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.
Download files
DOWNLOAD RELEASE DATE SIZE (BYTES) FIXPACKS URL
9.0.5.3-WS-WASProd-IFPH43148 16 February 2022 16642605 9.0.5.3 through 9.0.5.10 FC
9.0.5.11-WS-WASProd-IFPH43148 15 March 2022 16612468 9.0.5.11 FC
8.5.5.10-WS-WASProd-IFPH43148 16 February 2022 16458210 8.5.5.10 through 8.5.5.21 FC
8.0.0.15-WS-WASProd-IFPH43148 01 March 2022 16437309 8.0.0.15 FC
8.0.0.15-WS-WASEmbeded-IFPH43148 01 March 2022 9454459 8.0.0.15 FC
7.0.0.45-WS-WAS-IFPH43148 16 February 2022 15531372 7.0.0.45 FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH43148

Change History

  • 15 March 2022: Add 9.0.5.11 interim fix.

On

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001j54AAA","label":"WebSphere Application Server traditional-All Platforms-\u003EDownload Documents - L3 Publishing Category"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0;8.0.0;8.5.5;9.0.0;9.0.5"}]

Problems (APARS) fixed
PH43148, PH42762, PH42728, PH38485, PH34122, PH37034, PI97162

Document Information

Modified date:
01 April 2022

UID

ibm16557298

Page Feedback