Hello everyone, sorry if I'm not in the right place to ask my question.
I work in a company who use IBM WAS 9.0.5.10 and 8.5.5.17 only and I want to be sure of something.
Recently I found out that there were exploits and multiple CVE 9 to 10 vulnerabilities into IBM WAS version before the 9.0.5.4 and the 8.5.5.18 like :
- CVE-2019-4279 who can be fixed with 9.0.5.0 / 8.5.5.16 OR the fixPack PH11655
- CVE-2020-4448 who can be fixed with 9.0.5.4 / 8.5.5.18 OR the fixPack PH25216
- CVE-2020-4450 who can be fixed with 9.0.5.5 / 8.5.5.18 OR the fixPack PH25074
- CVE-2020-4589 who can be fixed with 9.0.5.4 / 8.5.5.18 OR the fixPack PH27414
- CVE-2020-4464 who can be fixed with 9.0.5.5 / 8.5.5.18 OR the fixPack PH26952
So I reported the problem to one of my colleague, since I'm just starting using IBM WAS he said that all of their 8.5.5.17 version that they've installed were done the end of 2021 so there must be a fixPack automatically installed at the same time as the installation goes on even if it's an older version. I've tested on a Windows Server 2019 with the latest IBM Installation Manager to install the 9.0.5.10 version and the 8.5.5.17 specifically. He was right with the CVE-2019-4279, CVE-2020-4450, CVE-2020-4589, CVE-2020-4464 while installing IBM WAS ND 8.5.5.17 but in the list of fixPack with the install process there is not the fixPack for the CVE-2020-4448 also called PH25216 and that is really important. But it turns out that he appear when I press the "Show only recommended fixPack" to reveal all of the not recommended fixPack.
Why does this fixPack isn't set as "Recommended" with IBM WAS ND so that it install by default when we do a normal install ?
Does this is just an error from IBM or this fixPack isn't recommended by default for a reason ?
Does this exploit is still dangerous in an environment with F5 and firewall ?
Thanks for any kind of help or tricks, I'm just starting using WAS and this is a bit difficult for me.
------------------------------
AZ za
------------------------------