PI36211;8.5.0: Security Integrity ifix for OAuth in the full profile

Download

Abstract

Security Integrity ifix for OAuth in the full profile

Download Description

PI36211 resolves the following problem:

ERROR DESCRIPTION:
Security Integrity ifix for OAuth in the full profile.

PROBLEM SUMMARY:
WebSphere Application Server Full Profile could allow a remote attacker to gain elevated privileges on the system cause when OAuth grant type of password is used.

PROBLEM CONCLUSION:
The OAuth run time is updated to remediate the exposure.

ADDITIONAL INSTALLATION INSTRUCTIONS:

The fix for PI36211 will not be active until WebSphereOauth20SP.ear is updated with the new EAR in the (WAS_HOME)/installableApps directory.

This fix is an update to the OAuth EAR file, WebSphereOauth20SP.ear. This fix replaces the old EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. For any cell that is running the EAR, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated from the new EAR in the installableApps directory.

You can tell if the OAuth EAR file is installed in a cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory.

If WebSphereOauth20SP.ear is installed in your cell, do the following after applying the fix:

1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager.

2. If you are using network deployment, ensure that all of the nodes are synchronized.

THE FOLLOWING FIXES ARE PROVIDED:

7.0.0.31-WS-WAS-IFPI36211.pak applies to fixpack 7.0.0.31.
7.0.0.33-WS-WAS-IFPI36211.pak applies to fixpacks 7.0.0.33 through 7.0.0.37.

8.0.0.6-WS-WASProd-IFPI36211.zip applies to fixpack 8.0.0.6.
8.0.0.8-WS-WASProd-IFPI36211.zip applies to fixpack 8.0.0.8.
8.0.0.9-WS-WASProd-IFPI36211.zip applies to fixpacks 8.0.0.9 through 8.0.0.10.

8.5.0.1-WS-WASProd-IFPI36211.zip applies to fixpack 8.5.0.1.
8.5.0.2-WS-WASProd-IFPI36211.zip applies to fixpack 8.5.0.2.

8.5.5.1-WS-WASProd-IFPI36211.zip applies to fixpack 8.5.5.1.
8.5.5.2-WS-WASProd-IFPI36211.zip applies to fixpacks 8.5.5.2 through 8.5.5.5.

The APAR for this issue that applies to the Liberty profile is PI33202.

Keywords: IBMWL3WSS, OAUTH, INTERIMFIX

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"WebSphere 8.5 readme","INLang":"US English","INSize":"2473","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI36211/8.5.5.5/readme.txt"},{"INLabel":"WebSphere 8.0 readme","INLang":"US English","INSize":"2458","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI36211/8.0.0.10/readme.txt"},{"INLabel":"WebSphere 7.0 readme","INLang":"US English","INSize":"5153","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI36211/7.0.0.37/readme.txt"}]

          [{"DNLabel":"7.0.0.31-WS-WAS-IFPI36211","DNDate":"8 Jul 2015","DNLang":"US English","DNSize":"84300","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.31-WS-WAS-IFPI36211&productid=WebSphere%20Application%20Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.33-WS-WAS-IFPI36211","DNDate":"16 Mar 2015","DNLang":"US English","DNSize":"77611","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WAS-IFPI36211&productid=WebSphere%20Application%20Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.6-WS-WASProd-IFPI36211","DNDate":"8 Jul 2015","DNLang":"US English","DNSize":"327623","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.6-WS-WASProd-IFPI36211&productid=WebSphere%20Application%20Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.8-WS-WASProd-IFPI36211","DNDate":"8 Jul 2015","DNLang":"US English","DNSize":"327489","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.8-WS-WASProd-IFPI36211&productid=WebSphere%20Application%20Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.9-WS-WASProd-IFPI36211","DNDate":"16 Mar 2015","DNLang":"US English","DNSize":"285522","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.9-WS-WASProd-IFPI36211&productid=WebSphere%20Application%20Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.0.1-WS-WASProd-IFPI36211","DNDate":"14 Aug 2015","DNLang":"US English","DNSize":"282017","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.0.1-WS-WASProd-IFPI36211&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.0.2-WS-WASProd-IFPI36211","DNDate":"03-16-2015","DNLang":"US English","DNSize":"282030","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.0.2-WS-WASProd-IFPI36211&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.1-WS-WASProd-IFPI36211","DNDate":"8 Jul 2015","DNLang":"US English","DNSize":"328676","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.1-WS-WASProd-IFPI36211&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.2-WS-WASProd-IFPI36211","DNDate":"03-16-2015","DNLang":"US English","DNSize":"289316","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.2-WS-WASProd-IFPI36211&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.5;8.5.5.4;8.5.5.3;8.5.5.2;8.5.5.1;8.5.0.2;8.5.0.1;8.0.0.9;8.0.0.8;8.0.0.6;8.0.0.10;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PI36211;PI29634

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24039602

Tips