Fix (APAR): PH50342 Status: Fix Release: 22.0.0.9 Operating System: AIX,HP-UX,IBM i,Linux,Solaris,Windows,OS X,z/OS Supersedes Fixes: CMVC Defect: Byte size of APAR: 14654202 Date: 20221125 Abstract: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171 CVSS 5.7, CVE-2022-3509 CVSS 5.7) Description/symptom of problem: PH50342 resolves the following problem: IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Google protobuf-java (CVE-2022-3171 CVSS 5.7, CVE-2022-3509 CVSS 5.7) Review: https://www-01.ibm.com/support/docview.wss?uid=ibm10961580 for installing into a Docker application image based on Liberty images. Directions to apply fix: 1. Open a console and direct it to the location of your iFix jar 2. Run the command "java -jar 22009-wlp-archive-IFPH50342.jar". The following launch options are available for the jar: --installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory in its current location. If your WebSphere Liberty install location is different to "wlp" and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. --suppressInfo hides all messages other than confirming the patch has completed or error messages. 3. Stop your WebSphere Liberty server(s). 4. When you next start your WebSphere Liberty server(s), the fix will become active in your runtime. Directions to remove fix: 1. Stop your WebSphere Liberty server(s). 2. You will need to delete the following files if they exist (file locations are relative to your WebSphere Liberty install root): - lib/io.openliberty.grpc.1.0.internal.common_1.0.68.cl220920221125-1642.jar - lib/io.openliberty.grpc.1.0.internal.monitor_1.0.68.cl220920221125-1642.jar - lib/io.openliberty.grpc.1.0.internal.client.monitor_1.0.68.cl220920221125-1642.jar - lib/io.openliberty.grpc.1.0.internal.common.jakarta_1.0.68.cl220920221125-1642.jar - lib/fixes/22009-wlp-archive-IFPH50342_22.0.0009.20221125_2029.xml - lib/fixes/22009-wlp-archive-IFPH50342_22.0.0009.20221125_2029.lpmf 3. When you next start your WebSphere Liberty server(s), the fix will become inactive in your runtime. Directions to re-apply fix: 1. Follow the instructions to apply the fix. Additional Information: