IBM Support

PH07297:Denial of Service vulnerability in Guava (CVE-2018-10237) (PH09616 PH08804)

Download


Downloadable File

File link File size File description

Abstract

Denial of Service vulnerability in Guava (CVE-2018-10237)

Download Description

PH07297 resolves the following problem: Denial of Service vulnerability in Guava (CVE-2018-10237).  The vulnerability addressed in PH07297 applies to the OpenID Connect runtime in both WebSphere traditional and Liberty.
   In WebSphere traditional, the fix for PH07297 has been superseded by the fix for PH08804: OIDC v1.1.0; OIDC RP default identifiers are not available when customs are configured. The WebSphere traditional fixes for PH07297 on this page have been replaced with the fixes for PH08804.
If you had previously installed a WebSphere traditional ifix for PH07297, you must install the fix for PH08804. There is no need to remove PH07297 first.
   In Liberty, the fix for PH07297 has been superseded by the fix for PH09616. The Liberty fixes for PH07297 on this page have been replaced with the fixes for PH09616.
If you had previously installed a Liberty ifix for PH07297, you must install the fix for PH09616. There is no need to remove PH07297 first.
  • JAVA 7 or later is required for WebSphere traditional

    The fix for PH07297 in WebSphere traditional requires the use of Java Version 7 or later. The following must be taken into account when evaluating the need for installing a fix for PH07297/PH08804 on WebSphere traditional:

    • If you are running a WebSphere traditional system and you want to be protected from the vulnerability addressed in PH07297, you must meet one of the following conditions:
      • Have WebSphere traditional V90 or 8.5.5.14 or later installed -and- an ifix that includes a fix for PH07297 applied.
      • Have WebSphere traditional fixpack 9.0.0.11 (or later) or 8.5.5.16 (or later) installed.

THE FOLLOWING FIXES ARE PROVIDED:

Interim fix file
Readme
Fixpack range
Fix type
18003-wlp-archive-IFPH09616.jar 18.0.0.3 Archive Readme 18.0.0.3 Liberty archive fix
18004-wlp-archive-IFPH09616.jar 18.0.0.4 Archive Readme 18.0.0.4 Liberty archive fix
18.0.0.3-WS-WLP-IFPH09616.zip 18.0.0.3 Liberty IM Readme 18.0.0.3 IM interim fix
18.0.0.4-WS-WLP-IFPH09616.zip 18.0.0.4 Liberty IM Readme 18.0.0.4 IM interim fix
8.5.5.3-WS-WASProd-IFPH08804.zip Readme v8.5 8.5.5.3 through
8.5.5.15		 IM interim fix
9.0.0.0-WS-WASProd-IFPH08804.zip Readme v9.0 9.0.0.0 through
9.0.0.10		 IM interim fix

The fix for this APAR is currently targeted for inclusion in Liberty fix pack 19.0.0.1 and WebSphere traditional fix packs 8.5.5.16 and 9.0.0.11.  Please refer to the Recommended Updates page for delivery information: 
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL SIZE(Bytes)
18.0.0.3 Readme for Liberty Archive 2337
18.0.0.4 Readme for Liberty Archive 2250
Readme for Liberty Installation Manager package 2383
V85 WebSphere traditional Readme 5666
V90 WebSphere traditional Readme 5490

Download Package

DOWNLOAD RELEASE DATE SIZE(Bytes)

DOWNLOAD Options

What is Fix Central(FC)?
18003-wlp-archive-IFPH09616 03-21-2019 5828995 FC
18004-wlp-archive-IFPH09616 03-21-2019 5800832 FC
18.0.0.3-WS-WLP-IFPH09616 03-21-2019 5903616 FC
18.0.0.4-WS-WLP-IFPH09616 03-21-2019 5873956 FC
9.0.0.0-WS-WASProd-IFPH08804 03-11-2019 3533402 FC
8.5.5.3-WS-WASProd-IFPH08804 03-11-2019 3980611 FC

Problems Solved

PH07297;PH08804

Change History

07 February 2019:  Updated document to change typo for APAR number in one sentence.
13 March 2019: Replaced the WebSphere traditional fixes with the ones for PH08804.
21 March 2019: Replaced the WebSphere Liberty fixes with the ones for PH09616.

On

Technical Support

Contact IBM Support using SR ( http://www.ibm.com/software/support/probsub.html ), visit the support web site , or contact 1-800-IBM-SERV (U.S. only).

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF017","label":"Mac OS"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"18.0.0.3;18.0.0.4;8.5.5.3;8.5.5.4;8.5.5.5;8.5.5.6;8.5.5.7;8.5.5.8;8.5.5.9;8.5.5.10;8.5.5.11;8.5.5.12;8.5.5.13;8.5.5.14;9.0.0.0;9.0.0.1;9.0.0.2;9.0.0.3;9.0.0.4;9.0.0.5;9.0.0.6;9.0.0.7;9.0.0.8;9.0.0.9;9.0.0.10","Edition":"Liberty;Base;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 March 2019

UID

ibm10869162

Page Feedback