Fix (APAR): PI49272 Status: Fix Release: 8.5.5.5,8.5.5.4,8.5.5.3,8.5.5.2 Operating System: AIX,HP-UX,IBM i,Inspur K-UX,Linux,Solaris,Windows,z/OS Supersedes Fixes: CMVC Defect: xxxxxx Byte size of APAR: 506263 Date: 2016-02-07 Abstract: Cross-site scripting in WebSphere Application Server OAuth service provider Description/symptom of problem: PI49272 resolves the following problem: ERROR DESCRIPTION: Cross-site scripting in WebSphere Application Server OAuth service provider. PROBLEM SUMMARY: Cross-site scripting in WebSphere Application Server OAuth service provider CVE-2015-7417. Directions to apply fix: Directions to apply fix: Fix applies to Editions: Release 8.5 _x_ Application Server (Express or BASE) _x_ Network Deployment (ND) __ Liberty Core __ Edge Components __ Developer Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: Update the WebSphereOauth20SP.ear from the (WAS_HOME)/installableApps directory NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. This fix is an update to the OAuth ear file, WebSphereOauth20SP.ear. This updated ear file is placed in the (WAS_HOME)/installableApps directory. For any cell that is running the ear, the fix will not be active in that cell the until the installed We bSphereOauth20SP.ear is updated from the new ear in the installableApps directory. You can tell if the OAuth ear file is installed in a cell by checking for a directory called WebSphereOauth20SP.ear in the (CELL_ROOT)/applications directory. If WebSphereOauth20SP.ear is installed in your cell, do the following after applying the fix: 1) Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager. 2) If you are using network deployment, ensure that all of the nodes are synchronized. Directions to remove fix: The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. After removing the fix, if the WebSphereOauth20SP.ear is installed in the cell, it will not be replaced with the original version until it is updated from the installableApps directory. If WebSphereOauth20SP.ear is installed in your cell, do the following after removing the fix: 1) Update WebSphereOauth20SP.ear, from the (WAS_HOME)/installableApps directory on your stand-alone application server or deployment manager. 2) If you are using network deployment, ensure that all of the nodes are synchronized. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: