Fix (APAR):  PI30579

Status:  Fix

Release:  8.5.5.4

Operating System:  Windows

Supersedes Fixes:  

CMVC Defect:  xxxxxx

Byte size of APAR:  268935

Date: 2015-04-16

Abstract:  Security Vulnerability with JavaServer Faces 2.0 portlet application

Description/symptom of problem:  



PI30579 resolves the following problem:

ERROR DESCRIPTION:
WebSphere Application Server could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the JavaServer Faces (JSF) 2.0 portlet application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

LOCAL FIX:                                                      

PROBLEM SUMMARY:
The JSF 2.0 portlet bridge needs to be updated to restrict access to resources within JSF 2.0 portlet application.

PROBLEM CONCLUSION:
The JSF 2.0 Portlet bridge was updated to restrict access to resources within JSF 2.0 portlet application 








Directions to apply fix:  
NOTE: Mark with an X the:
1) Release the fix applies to
2) The Editions that apply
3) And then DELETE THIS NOTE

Fix applies to Editions:
Release 8.5
__ Application Server (Express or BASE)
__ Network Deployment (ND)
__ Liberty Core
__ Edge Components
__ Developer

Install Fix to all WebSphere installations unless special instructions are included below.

Special Instructions: None

NOTE:
The user must:
* Logged in with the same authority level when unpacking a fix, fix pack or refresh pack.
* Be at V1.4.3 or newer of the Installation Manager. Certain iFixes may require a newer version of the Installation Manager and the Installation Manager will inform you during the installation process if a newer version is required.

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to apply the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before applying the iFixes.  Restart WebSphere Application Server after applying the iFixes.







Directions to remove fix:  

The IBM Knowledge Center can provide details, if needed, on the use of the Installation Manager to remove the iFixes.
http://publib.boulder.ibm.com/infocenter/install/v1r4/index.jsp.  Shutdown WebSphere Application Server before removing the iFixes.  Restart WebSphere Application Server after removing the iFixes.







Directions to re-apply fix:  
1) Shutdown WebSphere Application Server.

2) Follow the Fix instructions to apply the fix.

3) Restart WebSphere Application Server.









Additional Information: