Download
Abstract
Potential security vulnerability
Download Description
PM86788 resolves the following problem:
ERROR DESCRIPTION:
Potential security vulnerability
LOCAL FIX:
PROBLEM SUMMARY:
Deserialization of a maliciously crafted OpenJPA object can result in an executable file being written to the file system. An attacker needs to discover an unprotected server program to exploit this vulnerability. It then needs to exploit another unprotected server program to execute the file and gain access to the system. OpenJPA usage by itself does not introduce the vulnerability. The OpenJPA code ships with the WebSphere Application Server but WebSphere Application Server is NOT vulnerable to this issue.
PROBLEM CONCLUSION:
The code has been updated to resolve this issue. For more information please refer the the security bulletin: http://www-01.ibm.com/support/docview.wss?&uid=swg21635999
Prerequisites
None
Installation Instructions
Use Installation Manager to install the fix. The fix can be applied in 1 of 2 ways.
1) Allow Installation Manager to download the fix from the repository (Recommended). Setup the repository by going to File > Preferences. Then click Add repository and add http://public.dhe.ibm.com/software/websphere/repositories/repository.config. Click Update to continue installing the fix.
2) If Installation Manager cannot download the fix due to a firewall access or for some other reason, you can download the fix manually. Download the fix from the link provided. Unzip the file into a new directory. Run Installation Manager and browse to the repository.config within the new directory. Click Update to continue installing the fix.
Please review the readme.txt for detailed installation instructions.
Technical Support
Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg24035164