IBM WebSphere Application Server - Liberty 17.0.0.3 through 26.0.0.3 IBM WebSphere Application Server Liberty could provide weaker than expected security when administering security settings.
"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7267362","tags":["vendor-advisory","patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseSeverity":"MEDIUM","baseScore":6.7,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}],"solutions":[{"lang":"en","value":"IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70078. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature https://www.ibm.com/support/pages/node/6553910 . \n\nAttention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation.\n\nFor IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s): \n· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70078 https://www.ibm.com/support/pages/node/7266845 and carefully follow the instructions for steps required after fix installation.\n--OR--\n· Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).\n\nAdditional interim fixes may be available and linked off the interim fix download page.","supportingMedia":[{"type":"text/html","base64":false,"value":"IBM strongly recommends addressing the vulnerability now by applying a currently available interim fix or fix pack that contains the fix for APAR PH70078. To determine if a feature is enabled for IBM WebSphere Application Server Liberty, refer to How to determine if Liberty is using a specific feature.
Attention: After installing the interim fix or fixpack, please follow the additional instructions provided in the interim fix link referenced below to complete the remediation.
For IBM WebSphere Application Server Liberty 17.0.0.3 - 26.0.0.3 using the appSecurity-1.0, appSecurity-2.0, appSecurity-3.0, appSecurity-4.0 or appSecurity-5.0 feature(s):
· Upgrade to minimal fix pack levels as required by the interim fix and then apply the Interim Fix that resolves PH70078 and carefully follow the instructions for steps required after fix installation.
--OR--
· Apply Liberty Fix Pack 26.0.0.4 or later (targeted availability 2Q2026).
Additional interim fixes may be available and linked off the interim fix download page.