IBM Support

PH36253:Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)

Download


Downloadable File

Abstract

Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)

Download Description

PH36253 resolves the following problem:

ERROR DESCRIPTION:
Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)
LOCAL FIX:
 If you apply an interim fix for PH36253 to your application server, it is not necessary to perform any of the following mitigation steps.  These steps are only included to help you avoid the vulnerability if you choose not to install an interim fix.
Mitigation summary:
  1. Set the value for the setLtpaToken custom property to true in the configuration for the SAML Web Inbound TAI.
  2. Ensure that com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI is not included on the setting for the global security com.ibm.websphere.security.InvokeTAIbeforeSSO custom property.
Mitigation procedure:
  1. Check whether the SAML Web Inbound TAI is configured.
    • In the administrative console, navigate to Security > Global security > Web and SIP security > Trust association > Interceptors
    • If you do not find com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI in the list, then no further action is needed.
  2. Set the SAML Web Inbound TAI custom property, setLtpaToken, to true.
    1. Select com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI
    2. Ensure that the setLtpaToken is specified and its value is set to true.
  3. Change the value for the com.ibm.websphere.security.InvokeTAIbeforeSSO custom property to not include the SAML Web Inbound TAI class name, com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI.
    • When InvokeTAIbeforeSSO is not enabled for the SAML Web Inbound TAI class, the timeout for the user login is that of the LTPA token.
    1. Navigate to the Security > Global Security > Custom Properties panel
    2. Check the list for the com.ibm.websphere.security.InvokeTAIbeforeSSO property
      • If the property does not exist, skip to step 4.
      • If the property exists and it includes com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI in its value, perform the following steps:
        • If the value includes only com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI, delete the com.ibm.websphere.security.InvokeTAIbeforeSSO property
        • If the value includes other TAI classes, edit the value for com.ibm.websphere.security.InvokeTAIbeforeSSO and remove com.ibm.ws.security.web.inbound.saml.WebInboundSamlTAI from the list.
  4. Save the configuration
  5. Synchronize (if applicable)
  6. Restart the application servers
Resources:
PROBLEM SUMMARY:
Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2021-29754 CVSS 4.2)

PROBLEM CONCLUSION:
Confidential for CVE-2021-29754.

The fix for this APAR is targeted for inclusion in fix packs 8.5.5.20 and 9.0.5.8. For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

None

Installation Instructions

Review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V80 readme file 2275
V70 readme file 4907
V90 readme file 2305
V85 readme file 2318

Download Package

 
IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes for WebSphere Application Server in this table. 
DOWNLOAD RELEASE DATE SIZE(Bytes)
APPLICABLE
Fixpacks

DOWNLOAD Options

What is Fix Central(FC)?

9.0.0.0-WS-WASProd-IFPH36253 09 June 2021 287515 9.0.0.0 through 9.0.5.7 FC
8.5.5.10-WS-WASProd-IFPH36253 09 June 2021 275047 8.5.5.10 through 8.5.5.19 FC
8.0.0.15-WS-WASProd-IFPH36253 09 June 2021 262194 8.0.0.15 FC
7.0.0.45-WS-WAS-IFPH36253 09 June 2021 19581 7.0.0.45 FC

Problems Solved

PH36253

On

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"Cloud & Data Platform","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z/OS"}],"Version":"7.0.0.45;8.0.0.15;8.5.5.10;8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;8.5.5.15;8.5.5.16;8.5.5.17;8.5.5.18;8.5.5.19;9.0.0.0;9.0.0.1;9.0.0.10;9.0.0.11;9.0.0.2;9.0.0.3;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8;9.0.0.9;9.0.5.0;9.0.5.1;9.0.5.2;9.0.5.3;9.0.5.4;9.0.5.5;9.0.5.6;9.0.5.7","Edition":"Base"}]

Document Information

Modified date:
22 June 2021

UID

ibm16462305