7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
42.3%
Identity Insight customers are advised to update OpenJDK 8 to version 8.0.402 for the security update in Java.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM InfoSphere Identity Insight | 9.0.0.1 |
The listed vulnerabilityy issues are addressed.
CVE-ID | Description |
---|---|
CVE-2024-20952 | An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact. |
CVE-2024-20945 | An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact. |
CVE-2024-20926 | An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact. |
CVE-2024-20921 | |
CVE-2024-20919 | |
CVE-2024-20918 | An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact. |
CVE-2023-33850 | IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. |
CVD-2023-5676 | In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. |
Steps
This section provides instructions on how to upgrade OpenJDK used in IBM InfoSphere Identity Insight (II) 9.0.0.1 to OpenJDK 8u402.
Download OpenJDK 8.0.402 for the desired platform.
* Windows: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_windows_8u402b06_openj9-0.43.0.zip>
* Linux: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_x64_linux_8u402b06_openj9-0.43.0.tar.gz>
* AIX: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u402-b06_openj9-0.43.0/ibm-semeru-open-jdk_ppc64_aix_8u402b06_openj9-0.43.0.tar.gz>
Stop Liberty Server.
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer
Backup the java directory in the <ii_install_dir> by renaming it.
* Find out what version of the current java in <ii_install_dir>.
Windows
<ii_instal_dir>\java\jre\bin\java -version
Linux/AIX
<ii_install_dir>/java/jre/bin/java -version
* Rename the java directory to java__<version>, substitute <version> with the version number of the current java.
Windows
move <ii_install_dir>\java <ii_install_dir>\java<version>
Linux/AIX
mv <ii_install_dir>/java <ii_install_dir>/java_<version>
Extract the downloaded file under <ii_install_dir>. A ‘jdk8u402-b06’ is placed under <ii_install_dir>.
Rename ‘jdk8u402-b06’ to ‘java’
Windows
move <ii_install_dir>\jdk8u402-b06 <ii_install_dir>\java
Linux/AIX
mv <ii_install_dir>/jdk8u402-b06 <ii_instal_dir>/java
Verify the updated Java is used in Identity Insight.
* Restart Liberty Server.
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* View <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. Java used by Liberty Server is shown at the beginning of the file.
None
CPE | Name | Operator | Version |
---|---|---|---|
infosphere identity insight | eq | 9.0.0.1 |
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.3 High
AI Score
Confidence
High
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.001 Low
EPSS
Percentile
42.3%