IBM Support

PI77770: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)

Download


Abstract

Cross-site request forgery in WebSphere Application Server OAuth service provider

Download Description

PI77770 resolves the following problem:

ERROR DESCRIPTION:
Cross-site request forgery in WebSphere Application Server OAuth service provider.

PROBLEM SUMMARY:
Cross-site request forgery in WebSphere Application Server OAuth service provider CVE-2017-1194.

RECOMMENDATION:
Apply this interim fix.

ADDITIONAL INSTALLATION INSTRUCTIONS FOR THE FULL PROFILE ONLY:
For any cell that is running WebSphereOauth20SP.ear, the fix will not be active in that cell the until the installed WebSphereOauth20SP.ear is updated with the new ear this the interim fix places in the installableApps directory.

This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This fix replaces the EAR file in the (WAS_HOME)/installableApps directory with the updated one from the fix. You can tell if the OAuth ear file is installed in your cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory.

If WebSphereOauth20SP.ear is installed in your cell, do the following after applying this fix:

    1. Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager.
    2. If you are using network deployment, ensure that all of the nodes are synchronized.
    THE FOLLOWING FIXES ARE PROVIDED:

    Full Profile:

      7.0.0.39-WS-WAS-IFPI77770.pak applies to fixpacks 7.0.0.39 through 7.0.0.41.
      7.0.0.43-WS-WAS-IFPI77770.pak applies to fixpack 7.0.0.43.
      8.0.0.9-WS-WASProd-IFPI77770.zip applies to fixpacks 8.0.0.9 through 8.0.0.11.
      8.0.0.12-WS-WASProd-IFPI77770.zip applies to fixpacks 8.0.0.12 through 8.0.0.13.
      8.5.5.6-WS-WASProd-IFPI77770.zip applies to the full profile, fixpacks 8.5.5.6 through 8.5.5.9.
      8.5.5.10-WS-WASProd-IFPI77770.zip applies to the full profile, fixpacks 8.5.5.10 through 8.5.5.11.
      9.0.0.2-WS-WASProd-IFPI77770.zip applies to the full profile, fixpacks 9.0.0.2 through 9.0.0.3.


    Liberty Profile:

      16.0.0.4-WS-WLP-IFPI77770.zip applies to the Liberty profile, version 16.0.0.4 via the Installation Manager.
      17.0.0.1-WS-WLP-IFPI77770.zip applies to the Liberty profile, version 17.0.0.1 via the Installation Manager.

      16004-wlp-archive-IFPI77770.jar is an archive fix that applies to the Liberty profile, version 16.0.0.4.
      17001-wlp-archive-IFPI77770.jar is an archive fix that applies to the Liberty profile, version 17.0.0.1.


    The fix for this APAR is currently targeted for inclusion in fix packs 17.0.0.2, 7.0.0.45, 8.0.0.14, 8.5.5.12, and 9.0.0.4. Please refer to the Recommended Updates page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

    Keywords: IBMWL3WSS OAUTH INTERIMFIX

    Prerequisites

    None

    Installation Instructions

    Please review the readme.txt for detailed installation instructions.

    [{"INLabel":"Readme v70","INLang":"US English","INSize":"5131","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI77770/7.0.0.41/readme.txt"},{"INLabel":"Readme v80","INLang":"US English","INSize":"2439","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI77770/8.0.0.13/readme.txt"},{"INLabel":"Readme v85","INLang":"US English","INSize":"2471","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI77770/8.5.5.11/readme.txt"},{"INLabel":"Readme v90","INLang":"US English","INSize":"2386","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI77770/9.0.0.3/readme.txt"},{"INLabel":"Archive Readme 16.0.0.4","INLang":"US English","INSize":"2022","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI77770/16.0.0.4/readme.txt"},{"INLabel":"Archive Readme 17.0.0.1","INLang":"US English","INSize":"2094","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI77770/17.0.0.1/readme.txt"}]
    On
    [{"DNLabel":"7.0.0.39-WS-WAS-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"78335","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=7.0.0.39-WS-WAS-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"7.0.0.43-WS-WAS-IFPI77770","DNDate":"28 Apr 2017","DNLang":"US English","DNSize":"78326","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=7.0.0.43-WS-WAS-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.9-WS-WASProd-IFPI77770","DNDate":"16 May 2017","DNLang":"US English","DNSize":"287445","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=8.0.0.9-WS-WASProd-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.12-WS-WASProd-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"286417","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=8.0.0.12-WS-WASProd-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.6-WS-WASProd-IFPI77770","DNDate":"10 May 2017","DNLang":"US English","DNSize":"289907","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=8.5.5.6-WS-WASProd-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.10-WS-WASProd-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"287381","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=8.5.5.10-WS-WASProd-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"9.0.0.2-WS-WASProd-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"287407","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Application+Server&release=All&platform=All&function=fixId&fixids=9.0.0.2-WS-WASProd-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"16.0.0.4-WS-WLP-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"1839688","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Liberty&release=All&platform=All&function=fixId&fixids=16.0.0.4-WS-WLP-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"16004-wlp-archive-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"1768550","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Liberty&release=All&platform=All&function=fixId&fixids=16004-wlp-archive-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"17.0.0.1-WS-WLP-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"1843841","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Liberty&release=All&platform=All&function=fixId&fixids=17.0.0.1-WS-WLP-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null},{"DNLabel":"17001-wlp-archive-IFPI77770","DNDate":"24 Apr 2017","DNLang":"US English","DNSize":"1772682","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Liberty&release=All&platform=All&function=fixId&fixids=17001-wlp-archive-IFPI77770&includeSupersedes=0","DNURL_FTP":" ","DDURL":null}]

    Technical Support

    Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

    [{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF014","label":"iOS"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF013","label":"Inspur K-UX"}],"Version":"9.0.0.3;9.0.0.2;8.5.5.9;8.5.5.8;8.5.5.7;8.5.5.6;8.5.5.11;8.5.5.10;8.0.0.9;8.0.0.13;8.0.0.12;8.0.0.11;8.0.0.10;7.0.0.41;7.0.0.39;17.0.0.1;16.0.0.4;7.0.0.43","Edition":"Base;Liberty;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

    Document Information

    Modified date:
    15 June 2018

    UID

    swg24043596

    Page Feedback