Download
Downloadable File
| File link | File size | File description |
|---|---|---|
Abstract
Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)
Download Description
PH36253 resolves the following problem:
ERROR DESCRIPTION:
Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)
ERROR DESCRIPTION:
Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)
LOCAL FIX:
If you apply an interim fix for PH36253 to your application server, it is not necessary to perform any of the following mitigation steps. These steps are only included to help you avoid the vulnerability if you choose not to install an interim fix.Mitigation summary:
- Set the value for the setLtpaToken custom property to true in the configuration for the SAML Web Inbound TAI.
- Ensure that com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI is not included on the setting for the global security com.ibm.websphere.security.InvokeTAIbeforeSSO custom property.
Mitigation procedure:
- Check whether the SAML Web Inbound TAI is configured.
- In the administrative console, navigate to Security > Global security > Web and SIP security > Trust association > Interceptors
- If you do not find com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI in the list, then no further action is needed.
- Set the SAML Web Inbound TAI custom property, setLtpaToken, to true.
- Select com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
- Ensure that the setLtpaToken is specified and its value is set to true.
- Change the value for the com.ibm.websphere.security.InvokeTAIbeforeSSO custom property to not include the SAML Web Inbound TAI class name, com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI.
- When InvokeTAIbeforeSSO is not enabled for the SAML Web Inbound TAI class, the timeout for the user login is that of the LTPA token.
- Navigate to the Security > Global Security > Custom Properties panel
- Check the list for the com.ibm.websphere.security.InvokeTAIbeforeSSO property
- If the property does not exist, skip to step 4.
- If the property exists and it includes com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI in its value, perform the following steps:
- If the value includes only com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI, delete the com.ibm.websphere.security.InvokeTAIbeforeSSO property
- If the value includes other TAI classes, edit the value for com.ibm.websphere.security.InvokeTAIbeforeSSO and remove com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI from the list.
- Save the configuration
- Synchronize (if applicable)
- Restart the application servers
Resources:
- For more information about the setLtpaToken SAML Web Inbound property, see Configuring SAML Web Inbound TAI.
- For more information about configuring the SAML Web Inbound TAI, see SAML Web Inbound TAI Custom Properties.
- For more information about updating the Global Security custom properties, see Modifying an existing custom property in a global security configuration or in a security domain configuration.
Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)
PROBLEM CONCLUSION:
Confidential for CVE-2021-29754.
The fix for this APAR is targeted for inclusion in fix packs 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Prerequisites
None
Installation Instructions
Review the readme.txt for detailed installation instructions.
| URL | SIZE(Bytes) |
|---|---|
| V80 readme file | 2275 |
| V70 readme file | 4907 |
| V90 readme file | 2305 |
| V85 readme file | 2318 |
Download Package
|
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes for WebSphere Application Server in this table.
|
| DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
APPLICABLE
Fixpacks
|
DOWNLOAD Options |
|---|---|---|---|---|
| 9.0.0.0-WS-WASProd-IFPH36253 | 09 June 2021 | 287515 | 9.0.0.0 through 9.0.5.7 | FC |
| 8.5.5.10-WS-WASProd-IFPH36253 | 09 June 2021 | 275047 | 8.5.5.10 through 8.5.5.19 | FC |
| 8.0.0.15-WS-WASProd-IFPH36253 | 09 June 2021 | 262194 | 8.0.0.15 | FC |
| 7.0.0.45-WS-WAS-IFPH36253 | 09 June 2021 | 19581 | 7.0.0.45 | FC |
Problems Solved
PH36253
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"Cloud & Data Platform","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.45;8.0.0.15;8.5.5.10;8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;9.0.0.0;9.0.0.1;9.0.0.10;9.0.0.11;9.0.0.2;9.0.0.3;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8;9.0.0.9;9.0.5.0;9.0.5.1;9.0.5.2;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
22 June 2021
UID
ibm16462305