Lucene search

K
ibmIBMB8CB582AD4C9B18B3C5CCBAB5234D749FD3D0D9E37A5EF38D599A964E5AE80A1
HistoryDec 15, 2021 - 7:33 p.m.

Security Bulletin: Security vulnerabilities ( CVE-2021-36090, CVE-2021-35517 ) in Apache Commons Compress affect WebSphere Application Server Liberty Profile, shipped with IBM Operations Analytics Predictive Insights

2021-12-1519:33:19
www.ibm.com
16
apache commons compress
websphere application server liberty profile
ibm operations analytics predictive insights
cve-2021-36090
cve-2021-35517
out of memory error
ibm fix central
interimfix005
websphere application server liberty core 21.0.0.9
ph39418

EPSS

0.014

Percentile

86.5%

Summary

Websphere Application Server (WAS) Liberty Profile is shipped as a component of IBM Operations Analytics Predictive Insights. Information about Apache Commons Compress library vulnerabilities ( CVE-2021-36090, CVE-2021-35517 ) to a denial of service, caused by an out of memory error affect WAS Liberty Profile. This has been published in a security bulletin

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Principal Product and Version(s) Affected Supporting Product and Version(s)
IBM Operations Analytics Predictive Insights - All WebSphere Application Server Liberty 17.0.0.3 - 21.0.0.9

Remediation/Fixes

First, from IBM Fix Central download and apply 1.3.6-TIV-PredictiveInsights-el7-x86_64-InterimFix005 . Applying iFix5 will upgrade WebSphere Application Server Liberty to version 21.0.0.8.

Then, upgrade to WebSphere Application Server Liberty Core 21.0.0.9. From IBM Fix Central download and apply 21.0.0.9-WS-LIBERTY-CORE-FP .

Now, download and apply WebSphere Application Server Liberty interim fix PH39418. For further details and recommendations see security bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-33517, CVE-2021-36090)

Workarounds and Mitigations

None