Due to security vulnerabilities (CVE-2012-6153 and CVE-2014-3577) WebSphere Portal is removing the Apache commons-httpclient JAR files from all releases and replacing them with the newer version (Apache HttpClient 4.3.6).
Note that the JAR files may not be removed by a specific interim fix but the interim fix will remove all WebSphere Portal uses of those JAR files and the JAR files will be removed by a subsequent Cumulative Fix associated with that release.
These JAR files have been on the Portal classpath in many releases. They were never intended to be used by our customers but it is possible that they could be used by a customer’s custom portlets or by a third party’s custom portlets.
The specific JAR files that will be removed are the following:
commons-httpclient-2.0.jar
commons-httpclient-3.0.jar
commons-httpclient-3.0.1.jar
The WebSphere Portal releases in which the removal takes place are:
WebSphere Portal V6.1.0.6
WebSphere Portal V6.1.5.3
WebSphere Portal V7.0.0.2
WebSphere Portal V8.0.0.1 (included in CF15)
WebSphere Portal V8.5.0.0
If you do not have any custom code or third party code that uses these JAR files you do not have to do anything as consequence of this removal.
If you do have custom code or third party code that depends on these JAR files to be in the Portal Server classpath then you will have to make a change. There are many options. You can simply add a copy of the JAR back into the WebSphere Application Server or WebSphere Portal classpath, add the JAR into the appropriate portlet WAR file (neither of which will protect you from the security vulnerabilities) or change your custom source code to use the new Apache HttpClient 4.3.6 JAR that does fix the security vulnerability. Changing the source code is the best option. Note that Apache HttpClient 4.3.6 is a complete rewrite of the library and there is no backward compatibility. Reference the Apache web site for more details.
From TN 1695483
