IBM Support

PH71756:IBM WEBSPHERE APPLICATION SERVER IS AFFECTED BY MULTIPLE VULNERABILITIES (CVE-2026-11712, CVE-2026-11595, CVE-2026-11708)

Download


Downloadable File

File linkFile sizeFile description
   
   
   
   
   

Abstract

Abstract: IBM WEBSPHERE APPLICATION SERVER IS AFFECTED BY MULTIPLE VULNERABILITIES (CVE-2026-11712, CVE-2026-11595, CVE-2026-11708)

Download Description

The fix for this APAR is targeted for inclusion in 8.5.5.31 and 9.0.5.29.

For more information, see: Recommended Updates for WebSphere Application Server

Installation Instructions

IMPORTANT


Manual action is required after applying PH71756 interim fixes on WebSphere Application Server 8.5.5.x. This action must be performed on the system that has the WebSphere Administrative Console deployed (such as standalone servers or deployment managers).  No action is required on WebSphere Application Server 9.0.5.x.

You must complete these steps before starting the server. If the server has already been started, stop the server before continuing the steps below.

  1. Determine the profile name, node name, and server name where the WebSphere Administrative Console (isclite.ear) is deployed to be substituted in the paths below.
  2. Save the contents of the iehs.war directory under WAS_HOME/profiles/profile_name/temp/node_name/server_name/isclite/
    • Zip up the contents of iehs.war and move the zip file to another directory(outside of the WAS installation). This will serve as a backup.
  3. Update the isclite.ear application using wsadmin
    • Invoke wsadmin from the WAS_HOME/profiles/profile_name/bin directory:

      wsadmin -lang jython -conntype none
    • In wsadmin run the following command, replacing WAS_HOME with the correct path before running the AdminApp.update command

      props='[-operation update -contents WAS_HOME/systemApps/isclite.ear/iehs.war -contenturi iehs.war -MapWebModToVH [[iehs.war iehs.war,WEB-INF/web.xml admin_host]]]'
      AdminApp.update('isclite', 'modulefile', props)
      AdminConfig.save()
  4. Delete the iehs.war directory under WAS_HOME/profiles/profile_name/temp/node_name/server_name/isclite
  5. Start the server

Download Package

IMPORTANT NOTE:
WebSphere Application Server and Liberty fix access requires S&S Entitlement beginning in 2021. Use properly registered IDs to download the fixes in this table.  

Signature file is provided along with interim fix. See Verifying WebSphere Application Server release packages and Verifying Liberty release packages. 
 

IBM Installation Manager packages

DOWNLOADRELEASE DATE

URL

9.0.5.16-WS-WASProd-IFPH71756 (applies to 9.0.5.16-9.0.5.28)30 June 2026FC
8.5.5.24-WS-WASProd-IFPH71756 (applies to 8.5.5.24-8.5.5.29)30 June 2026FC
Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

Problems Solved

PH71756

On

Technical Support

Contact IBM Support at https://www.ibm.com/mysupport/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.24;8.5.5.25;8.5.5.26;8.5.5.27;8.5.5.28;8.5.5.29;9.0.5.16;9.0.5.17;9.0.5.18;9.0.5.19;9.0.5.20;9.0.5.21;9.0.5.22;9.0.5.23;9.0.5.24;9.0.5.25;9.0.5.26;9.0.5.27;9.0.5.28","Edition":"Base","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
30 June 2026

UID

ibm17278563