IBM Support

PI49272: Cross-site scripting in WebSphere Application Server OAuth service provider CVE-2015-7417

Downloadable files


Abstract

Cross-site scripting in WebSphere Application Server OAuth service provider

Download Description

PI49272 resolves the following problem:

ERROR DESCRIPTION:
Cross-site scripting in WebSphere Application Server OAuth service provider.

PROBLEM SUMMARY:
Cross-site scripting in WebSphere Application Server OAuth service provider CVE-2015-7417.

RECOMMENDATION:
Apply this interim fix.

ADDITIONAL INSTALLATION INSTRUCTIONS FOR THE FULL PROFILE ONLY:

This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This fix replaces the old EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. For any cell that is running the ear, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated from the new ear in the installableApps directory.

You can tell if the OAuth ear file is installed in a cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory.

If WebSphereOauth20SP.ear is installed in your cell, do the following after applying the fix:

    1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager.
    2. If you are using network deployment, ensure that all of the nodes are synchronized.

    THE FOLLOWING FIXES ARE PROVIDED:

    Full Profile:

      7.0.0.33-WS-WAS-IFPI49272.pak applies to fixpacks 7.0.0.33 through 7.0.0.37.
      7.0.0.39-WS-WAS-IFPI49272.pak applies to fixpack 7.0.0.39.
      8.0.0.9-WS-WASProd-IFPI49272.zip applies to fixpacks 8.0.0.9 through 8.0.0.10.
      8.0.0.11-WS-WASProd-IFPI49272.zip applies to fixpack 8.0.0.11.
      8.5.5.6-WS-WAS-IFPI49272.zip applies to the full profile, fixpacks 8.5.5.6 through 8.5.5.8.

      8.5.5.2-WS-WAS-IFPI49272.zip applies to the full profile, fixpacks 8.5.5.2 through 8.5.5.5. This fix requires that the fix for PI36211 also be installed.

    Liberty Profile:

      8.5.5.6-WS-WLP-IFPI49272.zip applies to the Liberty profile, fixpack 8.5.5.6.
      8.5.5.7-WS-WLP-IFPI49272.zip applies to the Liberty profile, fixpack 8.5.5.7.
      8.5.5.8-WS-WLP-IFPI49272.zip applies to the Liberty profile, fixpack 8.5.5.8.

      8556-wlp-archive-IFPI49272.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.6.
      8557-wlp-archive-IFPI49272.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.7.
      8558-wlp-archive-IFPI49272.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.8.


    Keywords: IBMWL3WSS OAUTH INTERIMFIX

    Prerequisites

    None

    Installation Instructions

    Please review the readme.txt for detailed installation instructions.

    URL LANGUAGE SIZE(Bytes)
    Readme v85 US English 3707
    Readme v80 US English 3681
    Readme v70 US English 6375
    Archive Readme 8.5.5.6 US English 2307
    Archive Readme 8.5.5.7 US English 2271
    Archive Readme 8.5.5.8 US English 1927

    Download package



    Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
    What is Fix Central(FC)?
    7.0.0.33-WS-WAS-IFPI49272 14 Jan 2016 US English 76411 FC
    7.0.0.39-WS-WAS-IFPI49272 14 Jan 2016 US English 77636 FC
    8.0.0.9-WS-WASProd-IFPI49272 14 Jan 2016 US English 354876 FC
    8.0.0.11-WS-WASProd-IFPI49272 14 Jan 2016 US English 77636 FC
    8.5.5.2-WS-WAS-IFPI49272 7 Feb 2016 US English 506263 FC
    8.5.5.6-WS-WAS-IFPI49272 14 Jan 2016 US English 432563 FC
    8.5.5.6-WS-WLP-IFPI49272 27 Jan 2016 US English 1110785 FC
    8556-wlp-archive-IFPI49272 27 Jan 2016 US English 2717840 FC
    8.5.5.7-WS-WLP-IFPI49272 14 Jan 2016 US English 1114014 FC
    8557-wlp-archive-IFPI49272 14 Jan 2016 US English 2737095 FC
    8.5.5.8-WS-WLP-IFPI49272 27 Jan 2016 US English 960420 FC
    8558-wlp-archive-IFPI49272 27 Jan 2016 US English 3570733 FC

    Technical support

    Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

    Problems (APARS) fixed
    PI49272

    Document information

    More support for: WebSphere Application Server
    General

    Software version: 7.0.0.33, 7.0.0.35, 7.0.0.37, 7.0.0.39, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.5.5.2, 8.5.5.3, 8.5.5.4, 8.5.5.5, 8.5.5.6, 8.5.5.7, 8.5.5.8

    Operating system(s): AIX, HP-UX, IBM i, Inspur K-UX, Linux, Solaris, Windows, iOS

    Software edition: Base, Liberty, Network Deployment, Single Server

    Reference #: 4041604

    Modified date: 07 October 2016


    Translate this page: