PH43760:IBM WebSphere Application Server is vulnerable to Clickjacking (CVE-2021-39038)

Download

Downloadable File

File link	File size	File description

Abstract

IBM WebSphere Application Server is vulnerable to Clickjacking (CVE-2021-39038)

Download Description

View the Security Bulletin

PH43760 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server is vulnerable to Clickjacking (CVE-2021-39038)

The APAR for this issue that applies to WebSphere Liberty is PH43223.

PROBLEM SUMMARY:
IBM WebSphere Application Server is vulnerable to Clickjacking (CVE-2021-39038)

PROBLEM CONCLUSION:
Confidential for CVE-2021-39038.

ADDITIONAL STEPS:

After this interim fix is applied, perform the following steps on each of your WebSphere Application Server profiles:

Run the following command from the (WAS_HOME)/profiles/(profileName)/bin directory:

Windows IBM i	wsadmin -lang jython -conntype NONE -c "AdminApp.update('SwaggerUI', 'app', '[-operation update -contents (WAS_HOME)/systemApps/SwaggerUI.ear -installed.ear.destination "(WAS_HOME)/systemApps" -zeroEarCopy]')"
Unix	./wsadmin.sh -lang jython -conntype NONE -c "AdminApp.update('SwaggerUI', 'app', '[-operation update -contents (WAS_HOME)/systemApps/SwaggerUI.ear -installed.ear.destination "(WAS_HOME)/systemApps" -zeroEarCopy]')"

Replace (WAS_HOME) with the root directory of your WebSphere installation.
If security is enabled in your cell, you can add the following parameters to prevent a dialog requesting admin credentials from appearing:

-username (userName) -password (password)

The fix for this APAR is targeted for inclusion in fix pack 9.0.5.12.

For more information, see 'Recommended Updates for WebSphere Application Server':
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

None

Installation Instructions

Review the readme.txt for detailed installation instructions.

Readme files
URL	SIZE (Bytes)
V90 readme file	2164

Download Package

Important note: WebSphere Application Server and Liberty fix access requires S&S Entitlement in 2021. Use properly registered IDs to download the fixes in this table.

Download files
DOWNLOAD	RELEASE DATE	SIZE (BYTES)	PLATFORM	FIXPACKS	URL
9.0.5.9-WS-WASProd-DistOnly-IFPH43760	17 February 2022	1586000	Distributed	9.0.5.9	FC
9.0.5.10-WS-WASProd-DistOnly-IFPH43760	17 February 2022	1586041	Distributed	9.0.5.10	FC
9.0.5.11-WS-WASProd-DistOnly-IFPH43760	15 March 2022	1586223	Distributed	9.0.5.11	FC

Note: FC stands for Fix Central. Review the What is Fix Central (FC)? FAQs for more details.

The links to the z/OS fixes were removed from this document on 3/23/2022 due to a packaging issue. These fixes will be restored when they are repackaged.

Problems Solved

PH43760

Change History

15 March 2022: Add links to 9.0.5.11 interim fixes.
23 March 2022: Remove links to z/OS interim fixes.

Technical Support

Contact IBM Support at https://www.ibm.com/software/mysupport/s/ or 1-800-IBM-SERV (US only).

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m0z0000001j54AAA","label":"WebSphere Application Server traditional-All Platforms-\u003EDownload Documents - L3 Publishing Category"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0"}]

Problems (APARS) fixed
PH43760

Was this topic helpful?

Document Information

Modified date:
23 March 2022

UID

ibm16557322

Tips