Websphere Application Server (WAS) Liberty Profile is shipped as a component of IBM Operations Analytics Predictive Insights. Information about Apache Commons Compress library vulnerabilities ( CVE-2021-36090, CVE-2021-35517 ) to a denial of service, caused by an out of memory error affect WAS Liberty Profile. This has been published in a security bulletin
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Principal Product and Version(s) | Affected Supporting Product and Version(s) |
---|---|
IBM Operations Analytics Predictive Insights - All | WebSphere Application Server Liberty 17.0.0.3 - 21.0.0.9 |
First, from IBM Fix Central download and apply 1.3.6-TIV-PredictiveInsights-el7-x86_64-InterimFix005 . Applying iFix5 will upgrade WebSphere Application Server Liberty to version 21.0.0.8.
Then, upgrade to WebSphere Application Server Liberty Core 21.0.0.9. From IBM Fix Central download and apply 21.0.0.9-WS-LIBERTY-CORE-FP .
Now, download and apply WebSphere Application Server Liberty interim fix PH39418. For further details and recommendations see security bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517, CVE-2021-36090)
None