WebSphere Application Server Archives

IBM i PTF Guide, Volume 27, Number 18

May 5, 2025 Doug Bidwell

Welcome to May, and we start out with PH65941, a notice from Big Blue that IBM WebSphere Application Server is vulnerable to server-side request forgery (CVE-2025-27907 CVSS 4.1). You can check out this link for more details. IBM says that the fix for this APAR is set to be included with WebSphere Application Server 8.5.5.28 and 9.0.5.24. We are not sure when that will happen.

Here is the rundown of PTF Groups by IBM i release level since we last published:

PTF Groups 7.6:
- HIPERs – High Impact Pervasive
- Group Security
- Performance Tools
- IBM HTTP Server for i
- Content
…
Read more
Support For Java 7 Ending WAS 8.5 On IBM i

July 18, 2022 Alex Woodie

IBM i shops that are running the traditional version of WebSphere Application Server 8.5 atop a Java 7 codebase will need to upgrade to Java 8 or risk running out of support from IBM.

At the end of July, IBM will cease to support WAS Traditional 8.5 running on JDK 7.0/7.1. Customers will need to upgrade their WAS 8.5 environments to JDK 8.0 to maintain support with IBM. IBM currently provides full support for WAS 8.5 and WAS 9.0 running on JDK 8.0. You can read more about this on the Official Support Statement for the IBM WebSphere Application Server …
Read more
IBM i Licensing, Part 2: Subscriptions Change Everything

June 13, 2022 Timothy Prickett Morgan

In a very funny way, the licensing of the IBM i platform is coming full circle with the advent of subscription pricing – with some funny curlicues along the way with over three decades of software licensing history and an even longer history of Big Blue renting, rather than selling, its software. When IBM first delivered its punch card machines, way way back, they were only available for rent, not for sale. The long arm of the law taught IBM to have some optionality, and it thus sold mainframes and minicomputers as well as leasing and renting them.

But before …
Read more
IBM i PTF Guide, Volume 24, Number 12

March 23, 2022 Doug Bidwell

And the security vulnerabilities just keep on a-coming. This time, it is with the WebSphere Application Server. Check out Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038), which you can read all about here. The affected products are WebSphere Application Server Liberty, versions 17.0.0.3 through 22.0.0.2 and WebSphere Application Server versions 9.0 through 9.0.5.11.

Also, here some information: The default location of ACS is updated whenever there is a Cumulative update or upgrade to a OS level. (\\&SystemName\root\QIBM\ProdData\Access\ACS\Base). Here are fixes for this:
- IBM i 7.4: SI77377 – ACS 1.1.8.8
…
Read more
IBM Patches New Security Flaws in Java, OpenSSL

April 3, 2019 Alex Woodie

IBM this week patched a series of flaws in IBM i’s Java environment, including a pair of very serious problems in the OpenJ9 runtime that could allow remote attackers to execute arbitrary code, in addition to a series of less-severe Java vulnerabilities. The company also fixed a new flaw found in IBM i’s OpenSSL implementation.

A total of seven Java flaws that impact IBM i versions 7.1 through 7.3 were addressed with one security bulletin issued by IBM on March 29. IBM issued Group PTFs for each release of the operating system to address them. A single OpenSSL flaw also …
Read more
Pay Attention To JDK And WebSphere Release Support

April 2, 2018 Timothy Prickett Morgan

IBM i shops don’t have to use Big Blue’s WebSphere Application Server middleware to create Java, since some of the Java functions are built into the Apache Web server built into the operating system and open source programs like the Tomcat server, while not still supported, are nonetheless sometimes still used. Still other shops don’t go for the full-on WebSphere Application Server, but use the Express Edition that is bundled on the machine to provide a certain level of automation for Java workloads.

IBM has been warning customers that they have to keep current on Java Development Kit (JDK) releases, …
Read more
IBM Patches Another BIND Flaw In IBM i

March 28, 2018 Alex Woodie

A serious flaw has been discovered in the BIND networking service that could be used to launch a denial of service attack against impacted servers, including IBM i. IBM patched the flaw in every version of the OS from IBM i 6.1 to 7.3 with a program temporary fix (PTF) made available earlier this month. IBM also patched a serious flaw in WebSphere that could let information leak out.

According to the IBM security bulletin issued March 12, the ISC BIND flaw known as CVE-2017-3145 has the potential to allow a remote attacker to crash a vulnerable server by sending …
Read more
IBM Will Change WebSphere To Work In A Cloudy World

March 26, 2018 Timothy Prickett Morgan

If you had to pick one product that put IBM back on the map in software, it would have to be the WebSphere Application Server that was wrapped around the Apache Web server for the 1998 Winter Olympics in Nagano, Japan. That was back when Big Blue was the technology sponsor for the Olympics, and it used the summer and winter events, each held every four years and out of phase by two years, as a showcase for new technologies. Two years is a Moore’s Law gap, so it worked out nicely.

WebSphere was the pet project of Tom Rosamilia, …
Read more
IBM Patches ‘ROBOT’ Flaw in IBM i Crypto Library

February 21, 2018 Alex Woodie

IBM has issued patches to fix a serious security problem in the IBM Global Security Kit, or GSKit, a relatively obscure crypto package that implements SSL/TLS encryption algorithms across a variety of IBM products, including IBM i. An old flaw in the underlying RSA crypto algorithm that could let hackers decrypt data in a “side channel” attack has resurfaced under a new moniker: “ROBOT.”

GSKit is an IBM toolkit that implements various encryption-related functions, including symmetric and asymmetric ciphers, random number generation, hashing algorithms, and encryption key management capabilities, for products that need over-the-wire encryption, including IBM i, Linux, and …
Read more

Content archive

Recent Posts

Subscribe

Pages

Search