Fixes are available
PI92492:Potential Denial of Service in WebSphere Application Server JAXRS
9.0.0.7: WebSphere Application Server traditional V9.0 Fix Pack 7
9.0.0.8: WebSphere Application Server traditional V9.0 Fix Pack 8
9.0.0.9: WebSphere Application Server traditional V9.0 Fix Pack 9
9.0.0.10: WebSphere Application Server traditional V9.0 Fix Pack 10
9.0.0.11: WebSphere Application Server traditional V9.0 Fix Pack 11
9.0.5.0: WebSphere Application Server traditional Version 9.0.5 Refresh Pack
9.0.5.1: WebSphere Application Server traditional Version 9.0.5 Fix Pack 1
9.0.5.2: WebSphere Application Server traditional Version 9.0.5 Fix Pack 2
9.0.5.3: WebSphere Application Server traditional Version 9.0.5 Fix Pack 3
9.0.5.4: WebSphere Application Server traditional Version 9.0.5 Fix Pack 4
9.0.5.5: WebSphere Application Server traditional Version 9.0.5 Fix Pack 5
WebSphere Application Server traditional 9.0.5.6
9.0.5.7: WebSphere Application Server traditional Version 9.0.5 Fix Pack 7
9.0.5.8: WebSphere Application Server traditional Version 9.0.5.8
9.0.5.9: WebSphere Application Server traditional Version 9.0.5.9
9.0.5.10: WebSphere Application Server traditional Version 9.0.5.10
9.0.5.11: WebSphere Application Server traditional Version 9.0.5.11
APAR status
Closed as program error.
Error description
Apply the fix for CXF-7071 to WAS v9 so client can use the JAX-RS 2.0 features and req.getParameter() HttpServletRequest.getParameter only get String from query not both posted form data https://issues.apache.org/jira/browse/CXF-7071
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server using JAXRS 2.0. * **************************************************************** * PROBLEM DESCRIPTION: JAX-RS HTTP POST method call unable * * to get parameter values * **************************************************************** * RECOMMENDATION: * **************************************************************** Sample Code Snap: @POST @Path(?/searchUser?) publicStringgetUseDetail(@Context HttpServletRequest req) { Stringusername = req.getParameter("userName"); returnusername; } In this case it is expected that the userName will be returned but that is not the case. See JIRA CXF-7071 for more details: https://issues.apache.org/jira/browse/CXF-7071
Problem conclusion
Back-ported the code changes in JIRA CXF-7071 to WAS90. The fix for this APAR is currently targeted for inclusion in fix pack 9.0.0.7. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Temporary fix
Comments
APAR Information
APAR number
PI90848
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2017-11-29
Closed date
2018-01-17
Last modified date
2018-01-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
R900 PSY
UP
Document Information
Modified date:
03 May 2022