IBM15C889A91631821917484807E31D550258875BB6FBCAB47AB403089641432860Security Bulletin: Updating IBM WebSphere Liberty Profile in Identity Insight for security update
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.0%
Summary
Identity Insight customers are advised to update IBM WebSphere Liberty Profile (WLP) to version 24.0.0.6 for security update in WLP.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM InfoSphere Identity Insight | 9.0.0.1 |
| IBM InfoSphere Identity Insight | 10.0.0.0 |
Remediation/Fixes
The listed vulnerability issues are addressed.
| CVE-ID | Description |
|---|---|
| CVE-2024-25026 | IBM WebSphere Application Server Liberty is vulnerable to a denial of service, caused by sending a specially crafted request. |
| CVE-2024-22354 | IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) attack when processing XML data. |
| CVE-2024-22329 | IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery. |
| CVE-2023-50312 | IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections. |
| CVE-2023-46158 | IBM WebSphere Application Server Liberty could provide weaker than expected security due to improper resource expiration handling. |
Steps
This section provides instructions on how to update WebSphere Liberty Profile used in InfoSphere Identity Insight (II) to WLP 24.0.0.6.
-
Download wlp-base-all-24.0.0.6.jar from Fix Central.
-
Stop Liberty Server
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer -
Backup the wlp directory in the <ii_install_dir> by renaming it.
* Find out what version of the current wlp in <ii_install_dir> by viewing <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. The wlp version is shown at the beginning of the file.
* Rename the wlp directory to wlp__<version>, substitute <version> with the version number of the current wlp.
Windows
move <ii_install_dir>\wlp <ii_install_dir>\wlp<version>
Linux/AIX
mv <ii_install_dir>/wlp <ii_install_dir>/wlp_<version> -
Extract wlp-base-all-24.0.0.6 JAR file into Identity Insight Installation directory (<ii_install_dir>).
java -jar wlp-base-all-24.0.0.6.jar --acceptLicense <ii_install_dir> -
Copy Liberty Server configuration files to the newly installed WLP directory.
Windows
xcopy /S /I <ii_install_dir>\wlp_<version>\usr\servers\iiServer <ii_install_dir>\wlp\usr\servers\iiServer
Linux/AIX
cp -rp <ii_install_dir>/wlp_<version>/usr/servers/iiServer <ii_install_dir>/wlp/usr/servers/iiServer -
Remove ‘workarea’ and ‘tranlog’ directories from the newly installed WLP directory.
Windows
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\workarea
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\tranlog
Linux/AIX
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/workarea
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/tranlog -
Verify the updated WLP is used in Identity Insight.
* Start Libertyy Server
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* Check the WLP version number logged in <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| infosphere identity insight | eq | any |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.0%