IBM Support

PI77770: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)

Downloadable files


Abstract

Cross-site request forgery in WebSphere Application Server OAuth service provider

Download Description

PI77770 resolves the following problem:

ERROR DESCRIPTION:
Cross-site request forgery in WebSphere Application Server OAuth service provider.

PROBLEM SUMMARY:
Cross-site request forgery in WebSphere Application Server OAuth service provider CVE-2017-1194.

RECOMMENDATION:
Apply this interim fix.

ADDITIONAL INSTALLATION INSTRUCTIONS FOR THE FULL PROFILE ONLY:
For any cell that is running WebSphereOauth20SP.ear, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated with the new ear this the interim fix places in the installableApps directory.

This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This fix replaces the EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. You can tell if the OAuth ear file is installed in your cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory.

If WebSphereOauth20SP.ear is installed in your cell, do the following after applying this fix:

    1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager.
    2. If you are using network deployment, ensure that all of the nodes are synchronized.
    THE FOLLOWING FIXES ARE PROVIDED:

    Full Profile:

      7.0.0.39-WS-WAS-IFPI77770.pak applies to fixpacks 7.0.0.39 through 7.0.0.41.
      7.0.0.43-WS-WAS-IFPI77770.pak applies to fixpack 7.0.0.43.
      8.0.0.9-WS-WASProd-IFPI77770.zip applies to fixpacks 8.0.0.9 through 8.0.0.11.
      8.0.0.12-WS-WASProd-IFPI77770.zip applies to fixpacks 8.0.0.12 through 8.0.0.13.
      8.5.5.6-WS-WASProd-IFPI77770.zip applies to the full profile, fixpacks 8.5.5.6 through 8.5.5.9.
      8.5.5.10-WS-WASProd-IFPI77770.zip applies to the full profile, fixpacks 8.5.5.10 through 8.5.5.11.
      9.0.0.2-WS-WASProd-IFPI77770.zip applies to the full profile, fixpacks 9.0.0.2 through 9.0.0.3.


    Liberty Profile:

      16.0.0.4-WS-WLP-IFPI77770.zip applies to the Liberty profile, version 16.0.0.4 via the Installation Manager.
      17.0.0.1-WS-WLP-IFPI77770.zip applies to the Liberty profile, version 17.0.0.1 via the Installation Manager.

      16004-wlp-archive-IFPI77770.jar is an archive fix that applies to the Liberty profile, version 16.0.0.4.
      17001-wlp-archive-IFPI77770.jar is an archive fix that applies to the Liberty profile, version 17.0.0.1.


    The fix for this APAR is currently targeted for inclusion in fix packs 17.0.0.2, 7.0.0.45, 8.0.0.14, 8.5.5.12, and 9.0.0.4. Please refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    Keywords: IBMWL3WSS OAUTH INTERIMFIX

    Prerequisites

    None

    Installation Instructions

    Please review the readme.txt for detailed installation instructions.

    URL LANGUAGE SIZE(Bytes)
    Readme v70 US English 5131
    Readme v80 US English 2439
    Readme v85 US English 2471
    Readme v90 US English 2386
    Archive Readme 16.0.0.4 US English 2022
    Archive Readme 17.0.0.1 US English 2094

    Download package



    Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
    What is Fix Central(FC)?
    7.0.0.39-WS-WAS-IFPI77770 24 Apr 2017 US English 78335 FC
    7.0.0.43-WS-WAS-IFPI77770 28 Apr 2017 US English 78326 FC
    8.0.0.9-WS-WASProd-IFPI77770 16 May 2017 US English 287445 FC
    8.0.0.12-WS-WASProd-IFPI77770 24 Apr 2017 US English 286417 FC
    8.5.5.6-WS-WASProd-IFPI77770 10 May 2017 US English 289907 FC
    8.5.5.10-WS-WASProd-IFPI77770 24 Apr 2017 US English 287381 FC
    9.0.0.2-WS-WASProd-IFPI77770 24 Apr 2017 US English 287407 FC
    16.0.0.4-WS-WLP-IFPI77770 24 Apr 2017 US English 1839688 FC
    16004-wlp-archive-IFPI77770 24 Apr 2017 US English 1768550 FC
    17.0.0.1-WS-WLP-IFPI77770 24 Apr 2017 US English 1843841 FC
    17001-wlp-archive-IFPI77770 24 Apr 2017 US English 1772682 FC

    Technical support

    Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

    Problems (APARS) fixed
    PI77770

    Document information

    More support for: WebSphere Application Server
    General

    Software version: 7.0.0.39, 7.0.0.41, 7.0.0.43, 8.0.0.9, 8.0.0.10, 8.0.0.11, 8.0.0.12, 8.0.0.13, 8.5.5.6, 8.5.5.7, 8.5.5.8, 8.5.5.9, 8.5.5.10, 8.5.5.11, 9.0.0.2, 9.0.0.3, 16.0.0.4, 17.0.0.1

    Operating system(s): AIX, HP-UX, IBM i, Inspur K-UX, Linux, Solaris, Windows, iOS, z/OS

    Software edition: Base, Liberty, Network Deployment, Single Server

    Reference #: 4043596

    Modified date: 16 May 2017