Fixes are available
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as new function.
Error description
The web server relies on gskit for SSL communications with some webservers. Gskit has the ability to allow an application to "opt in" for security enhancements without requiring application updates. This improves security of the component and reduces risks of security vulnerabilities.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Application Server IBM HTTP * * Server plugin users * **************************************************************** * PROBLEM DESCRIPTION: New security vulnerabilities can * * require continuous updates * **************************************************************** * RECOMMENDATION: * **************************************************************** The security library (gskit) used with plugin when using IBM based web servers has the ability to tune itself based upon known security vulnerabilities. Plugin is enhancing its use of the library to take advantage of this feature.
Problem conclusion
Plugin will enable the gsk vaccinate function by default. If you would like to opt out of this feature, add the custom property AutoSecurity = false to the plugin custom properties. It is not recommended to opt out of this feature unless you fully understand and accept the security exposure it may present. WebSphere webServer Plug-in will also enforce compliance with RFC 5280 (published in 2008)for its TLS certificates after this change is applied. At the time this APAR was first issued, IBM believed certificates issued by public certificate authorities were long-since compliant. We have later come to learn that a number of certificate authorities issue certificate chains that are not compliant with RFC5280, specifically in the area of the "Certificate Policies" extension. Certificates created automatically by the application server are all compliant with RFC 5280. Some self-signed certificates or certificates issued by locally administered certificate authorities may not necessarily be compliant. The most common non-compliance is the omission of a "BasicConstraints" extension with the "critical" field set to true. In lieu of replacing the non-compliant certificate, the certificate validation changes in PI39126 can be disabled after the introduction of PI49893 (8.0.0.12, 8.5.5.8). Please examine PI49893 if you wish to disable certificate compliance checking. The fix for this APAR is currently targeted for inclusion in fix packs 8.0.0.12 and 8.5.5.7. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI39126
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
800
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-04-15
Closed date
2015-06-29
Last modified date
2017-08-31
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
28 April 2022