Fix (APAR): PH29368 Status: Fix Release: 20.0.0.9,20.0.0.6,20.0.0.3 Operating System: AIX,HP-UX,IBM i,Linux,OS X,Solaris,Windows Supersedes Fixes: PH22080,PH24154 CMVC Defect: xxxxxx Byte size of APAR: 9562330 Date: 2020-09-15 Abstract: Denial of service attack vulnerability in oauth-2.0 or openidConnectServer-1.0 (CVE-2020-4590. CVSS score 5.3) Description/symptom of problem: PH29368 resolves the following problem: ERROR DESCRIPTION: WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590. CVSS score 5.3). LOCAL FIX: PROBLEM SUMMARY: WebSphere Liberty running oauth-2.0 or openidConnectServer-1.0 features is vulnerable to a denial of service attack (CVE-2020-4590. CVSS score 5.3). PROBLEM CONCLUSION: Code is updated to remove the vulnerability. The fix for this APAR is currently targeted for inclusion in fix pack 20.0.0.10. Please refer to the Recommended Updates page for delivery information: http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980 Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.9.0 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server Liberty before applying the iFixes. Restart WebSphere Application Server Liberty after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server Liberty before removing the iFixes. Restart WebSphere Application Server Liberty after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server Liberty. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server Liberty. Additional Information: