Fix (APAR): PI33357 Status: Fix Release: 8.5.5.4,8.5.5.2,8.5.0.2 Operating System: AIX,HP-UX,IBM i,Inspur K-UX,Linux,Mac OS,Solaris,Windows,i5/OS,z/OS Supersedes Fixes: CMVC Defect: Byte size of APAR: 5268631 Date: 2015-03-05 Abstract: Privilege Escalation vulnerability on WebSphere Application Server Liberty Profile Description/symptom of problem: PI33357 resolves the following problem: ERROR DESCRIPTION: WebSphere Application Server Liberty Profile could allow a remote attacker to gain elevated privileges on the system, caused by Run-as user for EJB not being honored under multi-threaded race conditions. LOCAL FIX: PROBLEM SUMMARY: WebSphere Application Server Liberty Profile could allow a remote attacker to gain elevated privileges on the system, caused by Run-as user for EJB not being honored under multi-threaded race conditions. PROBLEM CONCLUSION: Confidential for Security Integrity ifix Directions to apply fix: For 8.5.5.4: 1. Open a console and direct it to the location of your iFix jar 2. Run the command "java -jar 8554-wlp-archive-IFPI33357.jar". The following launch options are available for the jar: --installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory in its current location. If your Liberty profile install location is different to "wlp" and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. --suppressInfo hides all messages other than confirming the patch has completed or error messages. 3. Stop your Liberty profile server(s). 4. When you next start your Liberty profile server(s), the fix will become active in your runtime. Additional Information: For 8.5.5.2: 1. Open a console and direct it to the location of your iFix jar 2. Run the command "java -jar 8552-wlp-archive-IFPI33357.jar". The following launch options are available for the jar: --installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory in its current location. If your Liberty profile install location is different to "wlp" and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. --suppressInfo hides all messages other than confirming the patch has completed or error messages. 3. Stop your Liberty profile server(s). 4. When you next start your Liberty profile server(s), the fix will become active in your runtime. For 8.5.0.2: 1. Open a console and direct it to the location of your iFix jar 2. Run the command "java -jar 8.5.0.2-WS-WASProd_WLPArchive-IFPI33357.jar". The following launch options are available for the jar: --installLocation [LibertyRootDir] by default the jar will look for a "wlp" directory in its current location. If your Liberty profile install location is different to "wlp" and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. --suppressInfo hides all messages other than confirming the patch has completed or error messages. 3. Stop your Liberty profile server(s). 4. Start your Liberty profile server(s) with the --clean parameter as a launch option (i.e. server start --clean). The --clean option only needs to be used once, all subsequent server starts will not require it. Directions to remove fix: For 8.5.5.4: 1. Stop your Liberty profile server(s). 2. You will need to delete the following files (file locations are relative to your Liberty profile install root): - lib/com.ibm.ws.security.appbnd_1.0.0.cl50420150130-0405.jar - lib/fixes/8554-wlp-archive-IFPI33357_8.5.5003.20150130_0405.xml 3. When you next start your Liberty profile server(s), the fix will become inactive in your runtime. For 8.5.5.2: 1. Stop your Liberty profile server(s). 2. You will need to delete the following files (file locations are relative to your Liberty profile install root): - lib/com.ibm.ws.security.appbnd_1.0.2.cl50220150216-1613.jar - lib/fixes/8552-wlp-archive-IFPI33357_8.5.5002.20150216_1613.xml 3. When you next start your Liberty profile server(s), the fix will become inactive in your runtime. For 8.5.0.2: 1. Stop your Liberty profile server(s). 2. You will need to delete the following files (file locations are relative to your Liberty profile install root): - lib/com.ibm.ws.webcontainer.security.app_1.0.2.20130628-0357.jar - lib/com.ibm.ws.classloading_1.0.2.20130531-1507.jar - lib/com.ibm.ws.security.authentication.tai_1.0.2.20130531-1507.jar - lib/com.ibm.ws.security.authentication_1.0.0.20130531-1507.jar - lib/com.ibm.ws.security.authentication.builtin_1.0.2.20130531-1507.jar - lib/com.ibm.ws.webcontainer.security_1.0.1.20150223-1526.jar - lib/com.ibm.ws.webcontainer_1.0.2.20130531-1507.jar - lib/com.ibm.ws.webcontainer.security.admin_1.0.2.20130628-0357.jar - lib/fixes/8.5.0.2-WS-WASProd_WLPArchive-IFPI33357_8.5.2.20150223_1945.xml 3. Start your Liberty profile server(s) with the --clean parameter as a launch option (i.e. server start --clean). The --clean option only needs to be used once, all subsequent server starts will not require it. Directions to re-apply fix: 1. Follow the instructions to apply the fix. Additional Information: