IBM8F674CAFA2F6BEA08D77E136CC0F848C7AEDC8F3F563916EBD430276A18BC2EDSecurity Bulletin: Updating Java in Identity Insight 9.0.0.1 for security update
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
42.3%
Summary
Identity Insight customers are advised to update OpenJDK 8 to version 8.0.402 for the security update in Java.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM InfoSphere Identity Insight | 9.0.0.1 |
Remediation/Fixes
The listed vulnerabilityy issues are addressed.
| CVE-ID | Description |
|---|---|
| CVE-2024-20952 | An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact. |
| CVE-2024-20945 | An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact. |
| CVE-2024-20926 | An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact. |
| CVE-2024-20921 | |
| CVE-2024-20919 | |
| CVE-2024-20918 | An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact. |
| CVE-2023-33850 | IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. |
| CVD-2023-5676 | In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. |
Steps
This section provides instructions on how to upgrade OpenJDK used in IBM InfoSphere Identity Insight (II) 9.0.0.1 to OpenJDK 8u402.
-
Download OpenJDK 8.0.402 for the desired platform.
* Windows: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_windows_8u402b06_openj9-0.43.0.zip>
* Linux: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_linux_8u402b06_openj9-0.43.0.tar.gz>
* AIX: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_ppc64_aix_8u402b06_openj9-0.43.0.tar.gz> -
Stop Liberty Server.
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer -
Backup the java directory in the <ii_install_dir> by renaming it.
* Find out what version of the current java in <ii_install_dir>.
Windows
<ii_instal_dir>\java\jre\bin\java -version
Linux/AIX
<ii_install_dir>/java/jre/bin/java -version
* Rename the java directory to java__<version>, substitute <version> with the version number of the current java.
Windows
move <ii_install_dir>\java <ii_install_dir>\java<version>
Linux/AIX
mv <ii_install_dir>/java <ii_install_dir>/java_<version>
-
Extract the downloaded file under <ii_install_dir>. A ‘jdk8u402-b06’ is placed under <ii_install_dir>.
-
Rename ‘jdk8u402-b06’ to ‘java’
Windows
move <ii_install_dir>\jdk8u402-b06 <ii_install_dir>\java
Linux/AIX
mv <ii_install_dir>/jdk8u402-b06 <ii_instal_dir>/java -
Verify the updated Java is used in Identity Insight.
* Restart Liberty Server.
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* View <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. Java used by Liberty Server is shown at the beginning of the file.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| infosphere identity insight | eq | 9.0.0.1 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
42.3%