IBM Support

PI49272: Cross-site scripting in WebSphere Application Server OAuth service provider CVE-2015-7417

Download


Abstract

Cross-site scripting in WebSphere Application Server OAuth service provider

Download Description

PI49272 resolves the following problem:

ERROR DESCRIPTION:
Cross-site scripting in WebSphere Application Server OAuth service provider.

PROBLEM SUMMARY:
Cross-site scripting in WebSphere Application Server OAuth service provider CVE-2015-7417.

RECOMMENDATION:
Apply this interim fix.

ADDITIONAL INSTALLATION INSTRUCTIONS FOR THE FULL PROFILE ONLY:

This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This fix replaces the old EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. For any cell that is running the ear, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated from the new ear in the installableApps directory.

You can tell if the OAuth ear file is installed in a cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory.

If WebSphereOauth20SP.ear is installed in your cell, do the following after applying the fix:

    1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager.
    2. If you are using network deployment, ensure that all of the nodes are synchronized.

    THE FOLLOWING FIXES ARE PROVIDED:

    Full Profile:

      7.0.0.33-WS-WAS-IFPI49272.pak applies to fixpacks 7.0.0.33 through 7.0.0.37.
      7.0.0.39-WS-WAS-IFPI49272.pak applies to fixpack 7.0.0.39.
      8.0.0.9-WS-WASProd-IFPI49272.zip applies to fixpacks 8.0.0.9 through 8.0.0.10.
      8.0.0.11-WS-WASProd-IFPI49272.zip applies to fixpack 8.0.0.11.
      8.5.5.6-WS-WAS-IFPI49272.zip applies to the full profile, fixpacks 8.5.5.6 through 8.5.5.8.

      8.5.5.2-WS-WAS-IFPI49272.zip applies to the full profile, fixpacks 8.5.5.2 through 8.5.5.5. This fix requires that the fix for PI36211 also be installed.

    Liberty Profile:

      8.5.5.6-WS-WLP-IFPI49272.zip applies to the Liberty profile, fixpack 8.5.5.6.
      8.5.5.7-WS-WLP-IFPI49272.zip applies to the Liberty profile, fixpack 8.5.5.7.
      8.5.5.8-WS-WLP-IFPI49272.zip applies to the Liberty profile, fixpack 8.5.5.8.

      8556-wlp-archive-IFPI49272.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.6.
      8557-wlp-archive-IFPI49272.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.7.
      8558-wlp-archive-IFPI49272.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.8.


    Keywords: IBMWL3WSS OAUTH INTERIMFIX

    Prerequisites

    None

    Installation Instructions

    Please review the readme.txt for detailed installation instructions.

    [{"INLabel":"Readme v85","INLang":"US English","INSize":"3707","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI49272/8.5.5.8/readme85.txt"},{"INLabel":"Readme v80","INLang":"US English","INSize":"3681","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI49272/8.0.0.11/readme80.txt"},{"INLabel":"Readme v70","INLang":"US English","INSize":"6375","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI49272/7.0.0.39/readme70.txt"},{"INLabel":"Archive Readme 8.5.5.6","INLang":"US English","INSize":"2307","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI49272/8.5.5.6/readme.txt"},{"INLabel":"Archive Readme 8.5.5.7","INLang":"US English","INSize":"2271","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI49272/8.5.5.7/readme.txt"},{"INLabel":"Archive Readme 8.5.5.8","INLang":"US English","INSize":"1927","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI49272/8.5.5.8/readme.txt"}]
    On
    [{"DNLabel":"7.0.0.33-WS-WAS-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"76411","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.33-WS-WAS-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.39-WS-WAS-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"77636","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.39-WS-WAS-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.9-WS-WASProd-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"354876","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.9-WS-WASProd-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.11-WS-WASProd-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"77636","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.11-WS-WASProd-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.2-WS-WAS-IFPI49272","DNDate":"7 Feb 2016","DNLang":"US English","DNSize":"506263","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.2-WS-WAS-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.6-WS-WAS-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"432563","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.6-WS-WAS-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.6-WS-WLP-IFPI49272","DNDate":"27 Jan 2016","DNLang":"US English","DNSize":"1110785","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.6-WS-WLP-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8556-wlp-archive-IFPI49272","DNDate":"27 Jan 2016","DNLang":"US English","DNSize":"2717840","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8556-wlp-archive-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.7-WS-WLP-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"1114014","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.7-WS-WLP-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8557-wlp-archive-IFPI49272","DNDate":"14 Jan 2016","DNLang":"US English","DNSize":"2737095","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8557-wlp-archive-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.8-WS-WLP-IFPI49272","DNDate":"27 Jan 2016","DNLang":"US English","DNSize":"960420","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.8-WS-WLP-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8558-wlp-archive-IFPI49272","DNDate":"27 Jan 2016","DNLang":"US English","DNSize":"3570733","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8558-wlp-archive-IFPI49272&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]

    Technical Support

    Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

    [{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF014","label":"iOS"}],"Version":"8.5.5.7;8.5.5.6;8.5.5.5;8.5.5.4;8.5.5.3;8.5.5.2;8.0.0.9;8.0.0.11;8.0.0.10;7.0.0.39;7.0.0.37;7.0.0.35;7.0.0.33;8.5.5.8","Edition":"Base;Liberty;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

    Document Information

    Modified date:
    15 June 2018

    UID

    swg24041604