|File link||File size||File description|
Block class loads for vulnerable classes
Allow application class loaders to block class loads of classes with known security vulnerabilities
All users of IBM WebSphere Application Server
Security-compromised classes can be loaded by the WebSphere Application Server application and library class loaders.
Applications deployed to WebSphere Application Server may run versions of Log4j2 that are affected by the Log4Shell (CVE-2021-44228) vulnerability.
org.apache.logging.log4j.core.lookup.JndiLookup class, which is the cause of the vulnerability.
Blocking of class loads for org.apache.logging.log4j.core.lookup.JndiLookup was added to the WebSphere application, shared library, and extension class loaders.
The fix for this APAR is targeted for inclusion in fix packs 18.104.22.168, 22.214.171.124 and 126.96.36.199.
For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Review the readme.txt for detailed installation instructions.
|V85 readme file||3906|
|V90 readme file||3739|
WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.
|DOWNLOAD||RELEASE DATE||SIZE(Bytes)||Applicable Fix Packs||
|188.8.131.52-WS-WAS-IFPH42899||18 December 2021||300413||184.108.40.206 through 220.127.116.11||FC|
|18.104.22.168-WS-WAS-IFPH42899||18 December 2021||303151||22.214.171.124 through 126.96.36.199||FC|
|188.8.131.52-WS-WAS-IFPH42899||18 December 2021||302850||184.108.40.206 through 220.127.116.11||FC|
|18.104.22.168-ws-wlp-ifph42759.zip||15 December 2021||1662561||22.214.171.124 IM||FC|
|210012-wlp-archive-ifph42759.jar||15 December 2021||1600448||126.96.36.199 Archive||FC|
|188.8.131.52-ws-wlp-ifph42759.zip||15 December 2021||1659830||184.108.40.206 IM||FC|
|21009-wlp-archive-ifph42759.jar||15 December 2021||1597881||220.127.116.11 Archive||FC|
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
18 December 2021