PH70078:IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2025-14917 CVSS 6.7)

Download

Downloadable File

File link	File size	File description

Abstract

IBM WebSphere Application Server Liberty could provide weaker than expected security (CVE-2025-14917 CVSS 6.7)

Download Description

View the Security Bulletin

PH70078 resolves the following problem:

ERROR DESCRIPTION:
Confidential for Security Integrity interim fix CVE-2025-14917.

PROBLEM SUMMARY:
Confidential for Security Integrity interim fix CVE-2025-14917.

PROBLEM CONCLUSION:
Confidential for CVE-2025-14917.

After this fix is installed, the default LTPA keys password is removed. Before the server is started, action is required if the LTPA keys password is not set; otherwise, the LTPA service fails. Perform the following actions:

Check for an explicit password for the LTPA keys. An explicit LTPA keys password exists in the following two conditions:
- A keysPassword attribute is provided for the <ltpa /> element in the server.xml file.
- The keystore_password environment variable exists in the server.env file.
If an explicit password is not found, you must add the following environment variable to the server.env file:
keystore_password=(your-desired-password)

keystore_password=(your-desired-password)

When the server starts, the keystore_password is used to re-encrypt the LTPA keys that were previously encrypted with the default keysPassword.

The fix for this APAR is targeted for inclusion in 26.0.0.4.

For more information, see Recommended Updates for WebSphere Application Server: https://www.ibm.com/support/pages/node/715553.

Prerequisites

None

Download Package

IMPORTANT NOTE:	WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table. Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages.

IBM Installation Manager packages

DOWNLOAD	RELEASE DATE	URL
26.0.0.3-WS-WLP-IFPH70078	19 March 2026	FC
25.0.0.12-WS-WLP-IFPH70078	19 March 2026	FC
25.0.0.9-WS-WLP-IFPH70078	19 March 2026	FC

Archive packages (no IM)

DOWNLOAD	RELEASE DATE	URL
26003-wlp-archive-IFPH70078	19 March 2026	FC
250012-wlp-archive-IFPH70078	19 March 2026	FC
25009-wlp-archive-IFPH70078	19 March 2026	FC

Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH70078

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"25.0.0.12;25.0.0.9;26.0.0.3","Edition":"Base","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Problems (APARS) fixed
PH70078

Was this topic helpful?

Document Information

Modified date:
24 March 2026

UID

ibm17266845

Tips