Fix (APAR): PH43148 Status: Fix Release: 9.0.5.10,9.0.5.9,9.0.5.8,9.0.5.7,9.0.5.6,9.0.5.5,9.0.5.4,9.0.5.3 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,z/OS Supersedes Fixes: PH34122,PH38485,PH42762,PH42728,PH37034 CMVC Defect: xxxxxx Byte size of APAR: 16642605 Date: 2022-03-03 Abstract: IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8) Description/symptom of problem: PH43148 resolves the following problem: ERROR DESCRIPTION: Confidential for Security Integrity ifix CVE-2021-23450. LOCAL FIX: PROBLEM SUMMARY: Confidential for Security Integrity ifix CVE-2021-23450. PROBLEM CONCLUSION: Confidential for CVE-2021-23450. Directions to apply fix: Install Fix to all WebSphere installations unless special instructions are included below. Special Instructions: None NOTE: The user must: * Logged in with the same authority level when unpacking a fix, fix pack or refresh pack. * Be at V1.8.5 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required. The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before applying the iFixes. Restart WebSphere Application Server after applying the iFixes. Directions to remove fix: The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes. http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html. Shutdown WebSphere Application Server before removing the iFixes. Restart WebSphere Application Server after removing the iFixes. Directions to re-apply fix: 1) Shutdown WebSphere Application Server. 2) Follow the Fix instructions to apply the fix. 3) Restart WebSphere Application Server. Additional Information: No additional steps are required for WebSphere Application Server Base. If you are running WebSphere Application Server Network Deployment, additional steps are required for all deployment manager profiles. On each of your WebSphere Application Server Network Deployment deployment manager profiles, perform the following steps after applying this interim fix: 1. Check if the dojo.zip file exists within the deployment manager profile directory: (washome)/profiles/(dmgrprofile)/config/cells/(cellname)/applications/isclite.ear/deployments/isclite/isclite.war/WEB-INF/dojo.zip If the dojo.zip file does not exist within a deployment manager profile, no additional steps are required for that profile. 2. If the dojo.zip file does exist within a deployment manager profile, run the following command from the (WAS_HOME)/bin directory: Windows/IBM i: wsadmin -lang jython -c "AdminApp.update('isclite', 'file', '[-operation update -contents (WAS_HOME)/systemApps/isclite.ear/isclite.war/WEB-INF/dojo.zip -contenturi isclite.war/WEB-INF/dojo.zip]')" Unix: ./wsadmin.sh -lang jython -c "AdminApp.update('isclite', 'file', '[-operation update -contents (WAS_HOME)/systemApps/isclite.ear/isclite.war/WEB-INF/dojo.zip -contenturi isclite.war/WEB-INF/dojo.zip]')" Replace (WAS_HOME) with the installation root directory of your deployment manager. If you have security enabled on your deployment manager, you can add the -username (userName) and -password (password) parameters to prevent a popup requesting admin credentials from appearing.