CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
37.9%
Identity Insight customers are advised to update IBM WebSphere Liberty Profile (WLP) to version 24.0.0.9 for security update in WLP.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM InfoSphere Identity Insight | 9.0.0.1 |
IBM InfoSphere Identity Insight | 10.0.0.0 |
The listed vulnerability issues are addressed.
CVE-ID | Description |
---|---|
CVE-2023-50314 | IBM WebSphere Application Server Liberty is vulnerable to information disclosure. The fix is available in WLP 24.0.0.9. Beginning with WLP 24.0.0.9, WebSphere Liberty performs hostname verification on SSL certificates. A new collection of properties can be used to configure or disable the hostname verification behavior. For details, please refer to <https://www.ibm.com/support/pages/node/7163230> |
CVE-2024-25026 | IBM WebSphere Application Server Liberty is vulnerable to a denial of service, caused by sending a specially crafted request. |
CVE-2024-22354 | IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) attack when processing XML data. |
CVE-2024-22329 | IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery. |
CVE-2023-50312 | IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections. |
CVE-2023-46158 | IBM WebSphere Application Server Liberty could provide weaker than expected security due to improper resource expiration handling. |
Steps
This section provides instructions on how to update WebSphere Liberty Profile used in InfoSphere Identity Insight (II) to WLP 24.0.0.9.
Download wlp-base-all-24.0.0.9.jar from Fix Central.
Stop Liberty Server
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer
Backup the wlp directory in the <ii_install_dir> by renaming it.
* Find out what version of the current wlp in <ii_install_dir> by viewing <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. The wlp version is shown at the beginning of the file.
* Rename the wlp directory to wlp__<version>, substitute <version> with the version number of the current wlp.
Windows
move <ii_install_dir>\wlp <ii_install_dir>\wlp<version>
Linux/AIX
mv <ii_install_dir>/wlp <ii_install_dir>/wlp_<version>
Extract wlp-base-all-24.0.0.9 JAR file into Identity Insight Installation directory (<ii_install_dir>).
java -jar wlp-base-all-24.0.0.9.jar --acceptLicense <ii_install_dir>
Copy Liberty Server configuration files to the newly installed WLP directory.
Windows
xcopy /S /I <ii_install_dir>\wlp_<version>\usr\servers\iiServer <ii_install_dir>\wlp\usr\servers\iiServer
Linux/AIX
cp -rp <ii_install_dir>/wlp_<version>/usr/servers/iiServer <ii_install_dir>/wlp/usr/servers/iiServer
Remove ‘workarea’ and ‘tranlog’ directories from the newly installed WLP directory.
Windows
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\workarea
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\tranlog
Linux/AIX
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/workarea
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/tranlog
Configure or disable the hostname verification.
Beginning with WLP 24.0.0.9, Liberty performs hostname verification on SSL certificates. When Liberty is acting as a client connecting to an outbound server (such as pipeline, db2 server, ldap server), the runtime now checks to make sure the hostname value from the server certificate’s Subject Alternative Name (SAN) matches the hostname value used when establishing the connection. A new collection of properties can be used to configure or disable the hostname verification behavior. For details, please refer to <https://www.ibm.com/support/pages/node/7163230>
Verify the updated WLP is used in Identity Insight.
* Start Libertyy Server
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* Check the WLP version number logged in <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | infosphere_identity_insight | any | cpe:2.3:a:ibm:infosphere_identity_insight:any:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
37.9%