Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
java.lang.ClassNotFoundException for SecureSerializedViewCollection during Session Persistence
Download Description
PH43113 resolves the following problem:
ERROR DESCRIPTION:
The application can fail with the following error:
java.lang.ClassNotFoundException: org.apache.myfaces.application.viewstate.SecureSerializedViewCollection
ERROR DESCRIPTION:
The application can fail with the following error:
java.lang.ClassNotFoundException: org.apache.myfaces.application.viewstate.SecureSerializedViewCollection
USERS AFFECTED:
- Users of JavaServer Faces (JSF) with either PH34711 or PH36923 applied on IBM WebSphere Application Server v8.0.0.15 and v8.5.5.5 through v8.5.5.21.
- Users of the jsf-2.0 feature on WebSphere Liberty 21.0.0.4 through 22.0.0.2.
- Users of the jsf-2.0 feature on WebSphere Liberty with either PH34711 or PH36923 applied.
Although PH43113 does not affect WebSphere v9.0, interim fixes are provided for it because PH43113 supersedes both PH34711 (CVE-2021-26296) and PH36923.
PROBLEM DESCRIPTION:
If session persistence is enabled, following PH34711 and PH36923 for jsf-2.0, a java.lang.ClassNotFoundException error might occur. All forms of session persistence are affected. This error is encountered during session deserialization as the class is looked up. The resulting stack trace looks similar to:
WebSphere Application Server:
java.lang.ClassNotFoundException: org.apache.myfaces.application.viewstate.SecureSerializedViewCollection at java.lang.Class.forNameImpl(Native Method) at java.lang.Class.forName(Class.java:333) at com.ibm.ws.util.WsObjectInputStream.loadClass(WsObjectInputStream.java:229) at ... at java.io.ObjectInputStream.readObject(ObjectInputStream.java:517) at com.ibm.ws.session.utils.SessionLoader$1.run(SessionLoader.java:112) at java.security.AccessController.doPrivileged(AccessController.java:738) at com.ibm.ws.session.utils.SessionLoader.loadObject(SessionLoader.java:106) |
Liberty:
SESN0051E: An attempt to deserialize a session object from the backend has resulted in a ClassNotFoundException Exception is:java.lang.ClassNotFoundException: org.apache.myfaces.application.viewstate.SecureSerializedViewCollection at ... java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522) at com.ibm.ws.serialization.DeserializationObjectInputStream.loadClass(DeserializationObjectInputStream.java:62) at com.ibm.ws.serialization.internal.DeserializationObjectInputStreamImpl.loadClass(DeserializationObjectInputStreamImpl.java:48) at com.ibm.ws.serialization.DeserializationObjectInputStream.resolveClass(DeserializationObjectInputStream.java:133) at com.ibm.ws.serialization.DeserializationObjectInputStream.resolveClass(DeserializationObjectInputStream.java:171) ... com.ibm.ws.session.utils.SessionLoader.loadObject(SessionLoader.java:62) at com.ibm.ws.session.store.db.DatabaseHashMap.getValue(DatabaseHashMap.java:1613) at com.ibm.ws.session.store.db.DatabaseSession.getSingleRowAppData(DatabaseSession.java:168) at com.ibm.ws.session.store.db.DatabaseSession.getSwappableData(DatabaseSession.java:81) |
PROBLEM CONCLUSION:
JSF was updated to avoid this ClassNotFoundException. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.22 and Liberty 22.0.0.3.
For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
JSF was updated to avoid this ClassNotFoundException. The fix for this APAR is targeted for inclusion in fix packs 8.5.5.22 and Liberty 22.0.0.3.
For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
- This fix supersedes (includes) the fixes for PH34711 and PH36923.
Prerequisites
None
Installation Instructions
Review the ReadMe.txt file associated with the download package that you choose from Fix Central. |
Download Package
Important note: WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download fixes from Fix Central. For information about Fix Central, see What is Fix Central (FC)?.
Perform the following steps to locate and download interim fixes for your application server:
|
Problems Solved
PH43113
On
Technical Support
Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001j54AAA","label":"WebSphere Application Server traditional-All Platforms-\u003EDownload Documents - L3 Publishing Category"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"20.0.0;21.0.0;22.0.0;8.0.0;8.5.5;9.0.0;9.0.5"}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
24 March 2022
UID
ibm16558242