Download
Downloadable File
File link | File size | File description |
---|---|---|
Abstract
IBM WebSphere Application Server Liberty is vulnerable to a Denial of Service (CVE-2023-24998 CVSS 7.5)
Download Description
The fix for Liberty 22.0.0.12 is superseded by a later interim fix
Due to an error in the code, the fix for Liberty 22.0.0.12 is superseded by a fix for APAR PH54050.
Due to an error in the code, the fix for Liberty 22.0.0.12 is superseded by a fix for APAR PH54050.
If you previously installed a fix for PH50863 for Liberty 22.0.0.12, uninstall it, then install the fix for PH54050 that is linked on this page.
The remaining fixes for Liberty and WebSphere Application Server traditional are unaffected.
PH50863 resolves the following problem:
ERROR DESCRIPTION: WebSphere Application Server is vulnerable to a Denial of Service (CVE-2023-24998 CVSS 7.5)
PROBLEM SUMMARY: WebSphere Application Server is vulnerable to a Denial of Service (CVE-2023-24998 CVSS 7.5)
PROBLEM CONCLUSION:
ERROR DESCRIPTION: WebSphere Application Server is vulnerable to a Denial of Service (CVE-2023-24998 CVSS 7.5)
PROBLEM SUMMARY: WebSphere Application Server is vulnerable to a Denial of Service (CVE-2023-24998 CVSS 7.5)
PROBLEM CONCLUSION:
The web container code in WebSphere Application Server and Liberty is updated to prevent the vulnerability by allowing the administrator to limit the number of files in a multipart upload request. If the administrator takes no action, the limit is 5000.
A new web container custom property is added to WebSphere Application Server and Liberty to change the limit:
com.ibm.ws.webcontainer.maxFileCount
The default value is 5000.
If you do not want to limit the number of files uploaded in a request, set the value to -1.
If you do not want to limit the number of files uploaded in a request, set the value to -1.
For more information about setting a web container custom property, see Web container custom properties for WebSphere Application Server and Web Container (webContainer) for Liberty.
On Liberty, instead of the com.ibm.ws.webcontainer.maxFileCount attribute, you can also use the maxFileCount attribute.
TARGETS:
This feature is targeted for inclusion in WebSphere Application Server fix packs 8.5.5.24 and 9.0.5.16, and Liberty 23.0.0.4.
For more information, see the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
For more information, see the recommended updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
The fix for Liberty 22.0.0.12 is superseded by a later interim fix
Due to an error in the code, the fix for Liberty 22.0.0.12 is superseded by a fix for APAR PH54050.
If you previously installed a fix for PH50863 for Liberty 22.0.0.12, uninstall it, then install the fix for PH54050 that is linked on this page.
The remaining fixes for Liberty and WebSphere Application Server traditional are unaffected.
Prerequisites
None
Installation Instructions
Review the readme.txt for detailed installation instructions.
URL | SIZE(Bytes) |
---|---|
V90 readme file | 2633 |
V85 readme file | 2718 |
23.0.0.3 IM readme file | 2157 |
23.0.0.3 archive readme file | 2421 |
22.0.0.12 IM readme file | 2751 |
22.0.0.12 archive readme file | 2540 |
Download Package
IMPORTANT NOTE:
|
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.
|
DOWNLOAD | RELEASE DATE | SIZE(Bytes) |
URL |
---|---|---|---|
9.0.5.13-WS-WAS-IFPH50863 | 06 April 2023 | 423707 | FC |
9.0.5.14-WS-WAS-IFPH50863 | 06 April 2023 | 423710 | FC |
9.0.5.15-WS-WAS-IFPH50863 | 06 April 2023 | 423697 | FC |
8.5.5.22-WS-WAS-IFPH50863 | 06 April 2023 | 409706 | FC |
8.5.5.23-WS-WAS-IFPH50863 | 06 April 2023 | 409702 | FC |
23.0.0.3-WS-WLP-IFPH50863 | 06 April 2023 | 4991988 | FC |
23003-wlp-archive-IFPH50863 | 06 April 2023 | 4930404 | FC |
22.0.0.12-WS-WLP-PH54050 | 25 April 2023 | 5385319 | FC |
220012-wlp-archive-PH54050 | 25 April 2023 | 5323867 | FC |
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.
Problems Solved
PH50863
Change History
April 19 2023: Temporarily removes 22.0.0.12 fixes while a regression is investigated.
April 25 2023: 22.0.0.12 fixes are added as APAR PH54050.
On
Technical Support
Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF014","label":"iOS"},{"code":"PF035","label":"z\/OS"},{"code":"PF010","label":"HP-UX"},{"code":"PF027","label":"Solaris"}],"Version":"22.0.0.12;23.0.0.3;8.5.5.22;8.5.5.23;9.0.5.13;9.0.5.14;9.0.5.15","Edition":"Base","Line of Business":{"code":"LOB45","label":"Automation"}}]
Problems (APARS) fixed
Was this topic helpful?
Document Information
Modified date:
25 April 2023
UID
ibm16981885