Lucene search

IBM15C889A91631821917484807E31D550258875BB6FBCAB47AB403089641432860

HistorySep 23, 2024 - 5:37 p.m.

Security Bulletin: Updating IBM WebSphere Liberty Profile in Identity Insight for security update

2024-09-2317:37:31

www.ibm.com

ibm websphere liberty profile

identity insight

wlp 24.0.0.3

cve-2023-50312

cve-2023-46158

outbound tls connections

improper resource expiration

security update

instructions

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

37.9%

JSON

Summary

Identity Insight customers are advised to update IBM WebSphere Liberty Profile (WLP) to version 24.0.0.9 for security update in WLP.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Affected Product(s)	Version(s)
IBM InfoSphere Identity Insight	9.0.0.1
IBM InfoSphere Identity Insight	10.0.0.0

Remediation/Fixes

The listed vulnerability issues are addressed.

CVE-ID	Description
CVE-2023-50314	IBM WebSphere Application Server Liberty is vulnerable to information disclosure. The fix is available in WLP 24.0.0.9. Beginning with WLP 24.0.0.9, WebSphere Liberty performs hostname verification on SSL certificates. A new collection of properties can be used to configure or disable the hostname verification behavior. For details, please refer to <https://www.ibm.com/support/pages/node/7163230>
CVE-2024-25026	IBM WebSphere Application Server Liberty is vulnerable to a denial of service, caused by sending a specially crafted request.
CVE-2024-22354	IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) attack when processing XML data.
CVE-2024-22329	IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery.
CVE-2023-50312	IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections.
CVE-2023-46158	IBM WebSphere Application Server Liberty could provide weaker than expected security due to improper resource expiration handling.

Steps

This section provides instructions on how to update WebSphere Liberty Profile used in InfoSphere Identity Insight (II) to WLP 24.0.0.9.

Download wlp-base-all-24.0.0.9.jar from Fix Central.
Stop Liberty Server
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer
Backup the wlp directory in the <ii_install_dir> by renaming it.
* Find out what version of the current wlp in <ii_install_dir> by viewing <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. The wlp version is shown at the beginning of the file.
* Rename the wlp directory to wlp__<version>, substitute <version> with the version number of the current wlp.
Windows
move <ii_install_dir>\wlp <ii_install_dir>\wlp<version>
Linux/AIX
mv <ii_install_dir>/wlp <ii_install_dir>/wlp_<version>
Extract wlp-base-all-24.0.0.9 JAR file into Identity Insight Installation directory (<ii_install_dir>).
java -jar wlp-base-all-24.0.0.9.jar --acceptLicense <ii_install_dir>
Copy Liberty Server configuration files to the newly installed WLP directory.
Windows
xcopy /S /I <ii_install_dir>\wlp_<version>\usr\servers\iiServer <ii_install_dir>\wlp\usr\servers\iiServer
Linux/AIX
cp -rp <ii_install_dir>/wlp_<version>/usr/servers/iiServer <ii_install_dir>/wlp/usr/servers/iiServer
Remove ‘workarea’ and ‘tranlog’ directories from the newly installed WLP directory.
Windows
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\workarea
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\tranlog
Linux/AIX
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/workarea
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/tranlog
Configure or disable the hostname verification.
Beginning with WLP 24.0.0.9, Liberty performs hostname verification on SSL certificates. When Liberty is acting as a client connecting to an outbound server (such as pipeline, db2 server, ldap server), the runtime now checks to make sure the hostname value from the server certificate’s Subject Alternative Name (SAN) matches the hostname value used when establishing the connection. A new collection of properties can be used to configure or disable the hostname verification behavior. For details, please refer to <https://www.ibm.com/support/pages/node/7163230>
Verify the updated WLP is used in Identity Insight.
* Start Libertyy Server
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* Check the WLP version number logged in <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibminfosphere_identity_insightMatchany

VendorProductVersionCPE
ibminfosphere_identity_insightanycpe:2.3:a:ibm:infosphere_identity_insight:any:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	infosphere_identity_insight	any	cpe:2.3:a:ibm:infosphere_identity_insight:any:::::::*

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

37.9%

JSON

Related for 15C889A91631821917484807E31D550258875BB6FBCAB47AB403089641432860