9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.0%
Identity Insight customers are advised to update IBM WebSphere Liberty Profile (WLP) to version 24.0.0.6 for security update in WLP.
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Product(s) | Version(s) |
---|---|
IBM InfoSphere Identity Insight | 9.0.0.1 |
IBM InfoSphere Identity Insight | 10.0.0.0 |
The listed vulnerability issues are addressed.
CVE-ID | Description |
---|---|
CVE-2024-25026 | IBM WebSphere Application Server Liberty is vulnerable to a denial of service, caused by sending a specially crafted request. |
CVE-2024-22354 | IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) attack when processing XML data. |
CVE-2024-22329 | IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery. |
CVE-2023-50312 | IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections. |
CVE-2023-46158 | IBM WebSphere Application Server Liberty could provide weaker than expected security due to improper resource expiration handling. |
Steps
This section provides instructions on how to update WebSphere Liberty Profile used in InfoSphere Identity Insight (II) to WLP 24.0.0.6.
Download wlp-base-all-24.0.0.6.jar from Fix Central.
Stop Liberty Server
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer
Backup the wlp directory in the <ii_install_dir> by renaming it.
* Find out what version of the current wlp in <ii_install_dir> by viewing <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. The wlp version is shown at the beginning of the file.
* Rename the wlp directory to wlp__<version>, substitute <version> with the version number of the current wlp.
Windows
move <ii_install_dir>\wlp <ii_install_dir>\wlp<version>
Linux/AIX
mv <ii_install_dir>/wlp <ii_install_dir>/wlp_<version>
Extract wlp-base-all-24.0.0.6 JAR file into Identity Insight Installation directory (<ii_install_dir>).
java -jar wlp-base-all-24.0.0.6.jar --acceptLicense <ii_install_dir>
Copy Liberty Server configuration files to the newly installed WLP directory.
Windows
xcopy /S /I <ii_install_dir>\wlp_<version>\usr\servers\iiServer <ii_install_dir>\wlp\usr\servers\iiServer
Linux/AIX
cp -rp <ii_install_dir>/wlp_<version>/usr/servers/iiServer <ii_install_dir>/wlp/usr/servers/iiServer
Remove ‘workarea’ and ‘tranlog’ directories from the newly installed WLP directory.
Windows
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\workarea
rd /s /q <ii_install_dir>\wlp\usr\servers\iiServer\tranlog
Linux/AIX
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/workarea
rm -fr <ii_install_dir>/wlp/usr/servers/iiServer/tranlog
Verify the updated WLP is used in Identity Insight.
* Start Libertyy Server
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* Check the WLP version number logged in <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log.
None
CPE | Name | Operator | Version |
---|---|---|---|
infosphere identity insight | eq | any |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
32.0%