IBM Support

PH43113: ClassNotFoundException for SecureSerializedViewCollection during Session Persistence caused by PH36923

Download


Downloadable File

File link File size File description

Abstract

java.lang.ClassNotFoundException for SecureSerializedViewCollection during Session Persistence

Download Description

PH43113 resolves the following problem:

ERROR DESCRIPTION:
The application can fail with the following error:
java.lang.ClassNotFoundException: org.apache.myfaces.application.viewstate.SecureSerializedViewCollection
 
USERS AFFECTED:
  • Users of JavaServer Faces (JSF) with either PH34711 or PH36923 applied on IBM WebSphere Application Server v8.0.0.15 and v8.5.5.5 through v8.5.5.21. 
  • Users of the jsf-2.0 feature on WebSphere Liberty 21.0.0.4 through 22.0.0.2.
  • Users of the jsf-2.0 feature on WebSphere Liberty with either PH34711 or PH36923 applied.
Although PH43113 does not affect WebSphere v9.0, interim fixes are provided for it because PH43113 supersedes both PH34711 (CVE-2021-26296) and PH36923.

PROBLEM DESCRIPTION:
If session persistence is enabled, following PH34711 and PH36923 for jsf-2.0, a java.lang.ClassNotFoundException error might occur.  All forms of session persistence are affected.  This error is encountered during session deserialization as the class is looked up.  The resulting stack trace looks similar to:
WebSphere Application Server:
java.lang.ClassNotFoundException:
org.apache.myfaces.application.viewstate.SecureSerializedViewCollection
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:333)
at com.ibm.ws.util.WsObjectInputStream.loadClass(WsObjectInputStream.java:229)
at ...
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:517)
at com.ibm.ws.session.utils.SessionLoader$1.run(SessionLoader.java:112)
at java.security.AccessController.doPrivileged(AccessController.java:738)
at com.ibm.ws.session.utils.SessionLoader.loadObject(SessionLoader.java:106)
Liberty:
SESN0051E: An attempt to deserialize a session object from the backend has resulted in a ClassNotFoundException Exception is:java.lang.ClassNotFoundException:
org.apache.myfaces.application.viewstate.SecureSerializedViewCollection
at
...
java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
at com.ibm.ws.serialization.DeserializationObjectInputStream.loadClass(DeserializationObjectInputStream.java:62)
at com.ibm.ws.serialization.internal.DeserializationObjectInputStreamImpl.loadClass(DeserializationObjectInputStreamImpl.java:48)
at com.ibm.ws.serialization.DeserializationObjectInputStream.resolveClass(DeserializationObjectInputStream.java:133)
at com.ibm.ws.serialization.DeserializationObjectInputStream.resolveClass(DeserializationObjectInputStream.java:171)
...
com.ibm.ws.session.utils.SessionLoader.loadObject(SessionLoader.java:62)
at com.ibm.ws.session.store.db.DatabaseHashMap.getValue(DatabaseHashMap.java:1613)
at com.ibm.ws.session.store.db.DatabaseSession.getSingleRowAppData(DatabaseSession.java:168)
at com.ibm.ws.session.store.db.DatabaseSession.getSwappableData(DatabaseSession.java:81)
PROBLEM CONCLUSION:
JSF was updated to avoid this ClassNotFoundException. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.22 and Liberty 22.0.0.3.

For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
  • This fix supersedes (includes) the fixes for PH34711 and PH36923.

Prerequisites

None

Installation Instructions

Review the ReadMe.txt file associated with the download package that you choose from Fix Central.

Download Package

Important note: WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download fixes from Fix Central.  For information about Fix Central, see What is Fix Central (FC)?.
 Perform the following steps to locate and download interim fixes for your application server:
  1. Click one of the following links to get to the list of WebSphere Application Server or Liberty interim fix download packages for APAR PH43113 on Fix Central:
    • image-20220324090325-2 PH43113 interim fixes for WebSphere Application Server on Fix Central
    • image-20220324090310-1 PH43113 interim fixes for Liberty on Fix Central
  2. Locate the download package that applies to your fix pack
    • Tips:
      • If you hover over the link for an interim fix, you will be presented with additional details about the fix, including the applicable fix packs in the Applies to versions field.
      • Entering text in the Filter fix details box will dynamically narrow the fix list by matching your text to the details of each fix.  You can use this feature to pick out the fix for your fix pack by entering your fix pack number in the Filter fix details box.  For example, 9.0.5.3 or 21.0.0.9.
  3. Click the interim fix package that you want to download
    • Download the ReadMe.txt file for installation instructions.
    • Download the interim fix (the zip, jar, or pak file).

Problems Solved

PH43113

On

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001j54AAA","label":"WebSphere Application Server traditional-All Platforms-\u003EDownload Documents - L3 Publishing Category"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"20.0.0;21.0.0;22.0.0;8.0.0;8.5.5;9.0.0;9.0.5"}]

Document Information

Modified date:
24 March 2022

UID

ibm16558242

Page Feedback