IBM Support

PI99524:RCE vulnerability in JSF SUNRI 1.2 used by WebSphere Application Server

Download


Abstract

RCE vulnerability in JSF SUNRI 1.2 used by WebSphere Application Server

Download Description

PI99524 resolves the following problem:

ERROR DESCRIPTION:
RCE vulnerability in JSF SUNRI 1.2 used by WebSphere Application Server

LOCAL FIX:

PROBLEM SUMMARY:
RCE vulnerability in JSF SUNRI 1.2 used by WebSphere Application Server

IMPORTANT NOTICE:

PROBLEM CONCLUSION:
The JSF SUNRI 1.2 code was updated to throw an exception when client side state encryption is not enabled.

To enable client side encryption in JSF SUNRI 1.2, specify the password for the com.sun.faces.ClientStateSavingPassword environment entry in the web.xml file of the application.

To bypass client side state encryption, set the following property to true: com.ibm.ws.jsf.bypassClientSideStateEncryption   

The default is false.  This property can be set either as a context-parameter in the web.xml of the application or as a JVM argument. NOTE: IBM does not recommend using this property, encryption must be done to prevent a remote code execution vulnerability. 

The fix for this APAR is currently targeted for inclusion in fix pack WebSphere Application Server 8.5.5.15. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
 

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
V80 Readme 2841
V70 Readme 5518
V85 Readme 2847
8.5.5.14 Readme 2742

 

Download Package

 

DOWNLOAD RELEASE DATE SIZE(Bytes)

DOWNLOAD Options

What is Fix Central(FC)?

8.0.0.15-WS-WAS-IFPI99524 08-10-2018 261750 FC
7.0.0.45-WS-WAS-IFPI99524 08-10-2018 16437 FC
8.5.5.12-WS-WAS-IFPI99524 08-10-2018 264019 FC
8.5.5.14-WS-WAS-IFPI99524 08-22-2018 262625 FC

 

Problems Solved

PI99524

On

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the support web site, or contact 1-800-IBM-SERV (U.S. only).

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"7.0.0.45;8.0.0.15;8.5.5.12;8.5.5.13;8.5.5.14","Edition":"Base,Developer,Express,Network Deployment","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
28 August 2018

UID

ibm10725813