Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
block loads of vulnerable classes in websphere class loaders
Download Description
PH42899 resolves the following problem:
ERROR DESCRIPTION:
ERROR DESCRIPTION:
Add support to WebSphere to block classes with known vulnerabilities from being loaded
by the WebSphere application and library class loaders.
by the WebSphere application and library class loaders.
This APAR supersedes APAR PH42759.
Note: WebSphere Application Servers own usage of log4j is removed by
the fixes associated with the following security bulletin, without any
need for PH42899 (this APAR): https://www.ibm.com/support/pages/node/6526750
the fixes associated with the following security bulletin, without any
need for PH42899 (this APAR): https://www.ibm.com/support/pages/node/6526750
This APAR supersedes APAR PH42759 (for WebSphere traditional).
The original fixes for PH42759 may result in an unintended problem for a small number of sl4j users.
If PH42759 has already been installed and there are no errors related to slf4j, there is no need to update to this APAR.
USERS AFFECTED:
All users of IBM WebSphere Application Server
PROBLEM DESCRIPTION:
Security-compromised classes can be loaded by the WebSphere Application Server application and library class loaders.
USERS AFFECTED:
All users of IBM WebSphere Application Server
PROBLEM DESCRIPTION:
Security-compromised classes can be loaded by the WebSphere Application Server application and library class loaders.
Applications deployed to WebSphere Application Server may run versions of Log4j2 that are affected by the Log4Shell (CVE-2021-
44228) and related vulnerabilities.
44228) and related vulnerabilities.
This APAR updates the WebSphere Application Server application, shared library, and extension class loaders to block the loading of the org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability.
IBM recommends customers analyze their applications for use of Log4j2 with urgency; in the meantime this fix may help mitigate Log4Shell and other vulnerabilities related to that class. This APAR will not protect in cases where the Log4j2 classes have been renamed (a process known as "shading") or if Log4j2 is loaded from non-WAS class loaders (e.g. Java system class loaders or user-created class loaders). This fix is provided for customers to assist in creating a holistic deep defense against Log4Shell.
Note: WebSphere Application Servers own usage of log4j is removed by
the fixes associated with the following security bulletin, without any
need for PH42899 (this APAR): https://www.ibm.com/support/pages/node/6526750
the fixes associated with the following security bulletin, without any
need for PH42899 (this APAR): https://www.ibm.com/support/pages/node/6526750
PROBLEM CONCLUSION:
This APAR supersedes APAR PH42759 (for WebSphere traditional)
Blocking of class loads for org.apache.logging.log4j.core.lookup.JndiLookup was added to the WAS application, shared library, and extension class loaders.
NOTE: For applications utilizing the Log4j 2.0 Beta 9 release, preventing the load of this class will cause an uncaught NoClassDefFoundError. Users whose applications include this library are advised to update their Log4j immediately and avoid applying this APAR until after that update is applied.
Note: WebSphere Application Servers own usage of log4j is removed by
the fixes associated with the following security bulletin, without any
need for PH42899 (this APAR): https://www.ibm.com/support/pages/node/6526750
the fixes associated with the following security bulletin, without any
need for PH42899 (this APAR): https://www.ibm.com/support/pages/node/6526750
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.21 and 9.0.5.11. For more information, see 'Recommended
Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Prerequisites
None
Installation Instructions
Review the readme.txt for detailed installation instructions.
| URL | SIZE(Bytes) |
|---|---|
| V90 readme | 4316 |
| V85 readme | 4497 |
Download Package
|
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.
|
| DOWNLOAD | RELEASE DATE | SIZE(Bytes) | Applicable Fix Packs |
DOWNLOAD Options |
|---|---|---|---|---|
| 9.0.5.3-WS-WAS-IFPH42899 | 18 December 2021 | 300413 | 9.0.5.3 through 9.0.5.5 | FC |
| 9.0.5.6-WS-WAS-IFPH42899 | 18 December 2021 | 303151 | 9.0.5.6 through 9.0.5.10 | FC |
| 8.5.5.16-WS-WAS-IFPH42899 | 18 December 2021 | 302850 | 8.5.5.16 through 8.5.5.20 | FC |
Problems Solved
PH42899, PH42759
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.5.10;9.0.5.9;9.0.5.8;9.0.5.7;9.0.5.6;9.0.5.5;9.0.5.4;9.0.5.3;8.5.5.20;8.5.5.19;8.5.5.18;8.5.5.17;8.5.5.16","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
20 December 2021
UID
ibm16528220