Fix (APAR):  PI56811

Status:  Fix

Release:  8.5.5.9,8.5.5.8

Operating System:  AIX,HP-UX,IBM i,Inspur K-UX,Linux,Solaris,Windows,z/OS

Supersedes Fixes:  

CMVC Defect:  

Byte size of APAR:  11105318

Date: 2016-06-06

Abstract:  Potential security vulnerability in IBM WebSphere Application Server (CVE-2015-0254)

Description/symptom of problem:  

PI56811 resolves the following problem:


        Apache Standard Taglibs could allow a remote attacker to execute arbitrary code on the system, caused by an XML External Entity Injection (XXE) error when processing XML data. By sending specially-crafted XML data, an attacker could exploit this vulnerability to execute arbitrary code on the system.





Directions to apply fix:  
        1. Open a console and direct it to the location of your iFix jar
        2. For 8.5.5.9 run the command "java -jar 8559-wlp-archive-IFPI56811.jar" and for 8.5.5.8 run the
        command "java -jar 8558-wlp-archive-IFPI56811.jar".The following launch options are available for
        the jar:

        --installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory
        in its current location. If your Liberty profile install
        location is different to "wlp" and/or is not in the same
        directory as the jar then you can use this option to change
        where the jar will patch. [LibertyRootDir] can either be
        relative to the location of the jar or an absolute file path.

        --suppressInfo hides all messages other than confirming the
        patch has completed or error messages.

        3. Stop your Liberty profile server(s).
        4. When you next start your Liberty profile server(s), the fix will become active in your runtime.





Directions to remove fix:  
        1. Stop your Liberty profile server(s).
        2. You will need to delete the following files (file locations are
        relative to your Liberty profile install root):

        For 8.5.5.8:

         - lib/com.ibm.ws.jsp_1.0.11.cl50820160505-1635.jar
         - lib/fixes/8558-wlp-archive-IFPI56811_8.5.500820160505_1635.xml
        
        For 8.5.5.9:

         - lib/com.ibm.ws.jsp_1.0.12.cl50920160505-1636.jar
         - lib/fixes/8559-wlp-archive-IFPI56811_8.5.500920160505_1636.xml

        3. When you next start your Liberty profile server(s), the fix will become inactive in your runtime.





Directions to re-apply fix:  
        1. Follow the instructions to apply the fix.





Additional Information: