PH48747:IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161 CVSS 4.8)

Download

Downloadable File

File link	File size	File description

Abstract

IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161 CVSS 4.8)

Download Description

View the Security Bulletin

PH48747 resolves the following problem:

ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2022-39161

The fix for this APAR is targeted for inclusion in 8.5.5.24 and 9.0.5.16

For more information, see Recommended Updates for WebSphere Application Server:
https://www.ibm.com/support/pages/node/715553

Supersedes Info:

IHS Archive install interim fixes: This fix supersedes (includes) the IHS fixes for PH52860, PH53014, PH54015
WAS and WASPlugin interim fixes: No supersede of any other fixes.

Potential Side Effects:

After installation of this fix, if the application server hostname specified in plugin-cfg.xml does not match the hostname information in the certificate provided by the application server, webserver startup or connectivity to WebSphere may fail. To configure additional acceptable hostnames or configure the WebServer Plug-in to tolerate mismatched certificates, review the information here

Prerequisites

None

Installation Instructions

Review the readme.txt for detailed installation instructions.

URL	SIZE(Bytes)
V90 archive readme file	1267
V85 readme file	1872
V90 readme file	1906

Download Package

The WebSphere WebServer Plug-in is a separately installable optional component of WebSphere Application Server and WebSphere Liberty.

It is also provided as part of the IBM HTTP Server "archive installation". It provides reverse proxy capability between webservers like IBM HTTP Server, Apache HTTP Server, and Microsoft IIS and the application server tier.

WebSphere WebServer Plug-in Installation Manager update

These fixes are required if the WebSphere WebServer Plug-in is installed and maintained with IBM Installation Manager. If your Plugin installation has a bin/versionInfo{.sh|bat} it uses IBM Installation Manager.

Download	RELEASE DATE	SIZE(Bytes)	Applies to	URL
9.0.5.11-WS-WASPlugIn-IFPH48747	02 May 2023	63751789	9.0.5.11-9.0.5.15	FC
8.5.5.14-WS-WASPlugIn-IFPH48747	02 May 2023	81769565	8.5.5.14-8.5.5.22	FC
8.5.5.23-WS-WASPlugIn-IFPH48747	05 May 2023	81745975	8.5.5.23	FC

Application Server update to support new optional plugin-cfg.xml generation properties

These fixes are required if setting new custom properties in the traditional WebSphere admin console (https://www.ibm.com/support/pages/node/6982543)

Download	RELEASE DATE	SIZE(Bytes)	Applies to	URL
9.0.5.11-WS-WAS-IFPH48747	02 May 2023	349322	9.0.5.11-9.0.5.15	FC
8.5.5.14-WS-WAS-IFPH48747	02 May 2023	355689	8.5.5.14-8.5.5.23	FC

IBM HTTP Server archive fixes with updated WAS WebServer Plug-in runtime

These fixes should only be used if you use the IHS Archive Install without IBM Installation Manager. This cumulative update provides the latest IHS and Plugin binaries. If your IHS installation has a postinstall.{sh|bat} at the installation root, you are likely using the archive installation.

Download	RELEASE DATE	SIZE(Bytes)	URL
9.0.5-WS-IHS-ARCHIVE-linux-x86_64-FP015-IFPH48747	02 May 2023	26682207	FC
9.0.5-WS-IHS-ARCHIVE-aix-ppc64-FP015-IFPH48747	02 May 2023	35858550	FC
9.0.5-WS-IHS-ARCHIVE-linux-ppc64le-FP015-IFPH48747	02 May 2023	27109195	FC
9.0.5-WS-IHS-ARCHIVE-linux-s390x-FP015-IFPH48747	02 May 2023	29553579	FC
9.0.5-WS-IHS-ARCHIVE-win-x86-FP015-IFPH48747	02 May 2023	33274639	FC
9.0.5-WS-IHS-ARCHIVE-win-x86_64-FP015-IFPH48747	02 May 2023	35516852	FC

Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH48747, PH52860, PH53014, PH54015

Change History

May 04: The WAS Plugin fix for 8.5 inadvertently does not apply to 8.5.5.23. The description was changed and a separate 8.5.5.23 is being prepared.

May 05: Added 8.5.5.23 for WASPlugin

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"IBM HTTP Server"},"Component":"IBM HTTP Server","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF027","label":"Solaris"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;8.5.5.20;8.5.5.21;8.5.5.22;8.5.5.23;9.0.5.11;9.0.5.12;9.0.5.13;9.0.5.14;9.0.5.15","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PH48747, PH52860, PH53014, PH54015

Was this topic helpful?

Document Information

Modified date:
05 May 2023

UID

ibm16987541

Tips