Fix (APAR):  PH43817

Status:  Fix

Release:  21.0.0.12,21.0.0.9

Operating System:  AIX,HP-UX,IBM i,Linux,OS X,Solaris,Windows,iOS,z/OS

Supersedes Fixes:  PH39418

CMVC Defect:  xxxxxx

Byte size of APAR:  17883999

Date: 2022-02-14

Abstract:  IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)

Description/symptom of problem:  

PH43817 resolves the following problem:

IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8)


Directions to apply fix:  
Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.9.0 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Information Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html.

Shutdown WebSphere Application Server Liberty before applying the iFixes. 
Restart WebSphere Application Server Liberty after applying the iFixes.


Directions to remove fix:  
The IBM Information Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://www.ibm.com/support/knowledgecenter/SSDV2W_1.8.5/com.ibm.cic.agent.ui.doc/helpindex_imic.html.

Shutdown WebSphere Application Server Liberty before removing the iFixes. 
Restart WebSphere Application Server Liberty after removing the iFixes.


Directions to re-apply fix:  
1) Shutdown WebSphere Application Server Liberty.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server Liberty.


Additional Information: