Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM1E48F9EB28126C55F701B2491F1D1ABEF9F2051C950A60C35CF8B42B7C341D18
HistoryApr 26, 2019 - 2:40 p.m.

Security Bulletin: IBM StoredIQ is affected by potential Host Header Injection (CVE-2019-4166)

2019-04-2614:40:01
www.ibm.com
8

0.002 Low

EPSS

Percentile

53.6%

JSON

Summary

IBM StoredIQ is affected by potential Host Header Injection on StoredIQ Dataserver

Vulnerability Details

CVEID: CVE-2019-4166 DESCRIPTION: IBM StoredIQ could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158699&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Affected Products and Versions

Affected Product Affected Versions
IBM StoredIQ 7.6.0.0. - 7.6.0.18

Remediation/Fixes

Product VRMF Remediation / First Fix
IBM StoredIQ 7.6.0.0. - 7.6.0.18 No fix is required, but the configuration needs to be updated as described in Workarounds and Mitigations.

Workarounds and Mitigations

Securing StoredIQ Data Server against possible host header injection vulnerabilities

There are several vulnerabilities that may be exploited by host header injection attacks. These vulnerabilities can be mitigated on the StoredIQ Data Server by a simple configuration change.

  1. Open a command-line terminal session to the Data Server and login as root.

  2. Navigate to the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.

  3. Back up the settings.py file located in this directory.

  4. Edit the settings.py file in the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.

  5. Locate the line that starts with ALLOWED HOSTS.

  6. In the ALLOWED_HOSTS entry, supply the data server’s IP address, and the data server’s host name. For example, if the data server’s IP address were 192.0.2.10 and the hostname were dataserver.example.com, the ALLOWED HOSTS line should look like this:
    ALLOWED_HOSTS = [‘192.0.2.10’,‘dataserver.example.com’]
    If your data server has multiple IP addresses or multiple host names (or both), you can add them to the ALLOWED_HOSTS entry list.

  7. Save the settings.py file.

  8. Restart the AppServer service to pick up the new configuration by executing the following command:
    monit restart AppServer -c /etc/deepfile/monitrc

The data server should now be protected against known host header injection attacks. For more information about the ALLOWED_HOSTS entry in the settings.py file, visit this URL:
https://docs.djangoproject.com/en/2.2/ref/settings/#allowed-hosts

Note that securing the data server in this manner means that URLs employed in browsers to access the data server user interface must use one of the IP addresses or host names listed in the ALLOWED_HOSTS entry of the settings.py file.

CPENameOperatorVersion
storediqeq7.6

Related

cvelist 1
cve 1
prion 1
nvd 1
cvelist
cvelist
CVE-2019-4166
2019-04-26 00:00:00
cve
cve
CVE-2019-4166
2019-04-30 15:29:03
prion
prion
Open redirect
2019-04-30 15:29:00
nvd
nvd
CVE-2019-4166
2019-04-30 15:29:03

0.002 Low

EPSS

Percentile

53.6%

JSON
Related for 1E48F9EB28126C55F701B2491F1D1ABEF9F2051C950A60C35CF8B42B7C341D18
cvelist1cve1prion1nvd1