Security Bulletin: Updating Java in Identity Insight 10.0.0.0 for security update

Summary

Identity Insight customers are advised to update OpenJDK 17 to version 17.0.11.0 for the security update in Java.

Vulnerability Details

Refer to the security bulletin(s) listed in the Remediation/Fixes section

Affected Products and Versions

Remediation/Fixes

The listed vulnerability issues are addressed.

CVE-2024-20921

CVE-2024-20919

CVE-2024-20918

| An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact.
CVE-2023-38264 | IBM SDK, Java Technology Edition’s Object Request Broker (ORB) is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters.
CVE-2023-33850 | IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.
CVE-2023-5676 | In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing.

Steps

This section provides instructions on how to update OpenJDK used in IBM InfoSphere Identity Insight (II) 10.0.0.0 to OpenJDK 17.0.11.0.

1. Download OpenJDK 17.0.11.0 for the desired platform.
   * Windows : <https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.11%2B9_openj9-0.44.0/ibm-semeru-open-jdk_x64_windows_17.0.11_9_openj9-0.44.0.zip&gt;
   * Linux : <https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.11%2B9_openj9-0.44.0/ibm-semeru-open-jdk_x64_linux_17.0.11_9_openj9-0.44.0.tar.gz&gt;
   * AIX : <https://github.com/ibmruntimes/semeru17-binaries/releases/download/jdk-17.0.11%2B9_openj9-0.44.0/ibm-semeru-open-jdk_ppc64_aix_17.0.11_9_openj9-0.44.0.tar.gz&gt;

2. Stop Liberty Server.
   Windows
   <ii_install_dir>\bin\stopIIServer.bat
   Linux/AIX
   <ii_install_dir>/bin/stopIIServer

3. Backup the java directory in the <ii_install_dir> by renaming it.
   * Find out what version of the current java in <ii_install_dir>.
   Windows
   <ii_instal_dir>\java\bin\java -version
   Linux/AIX
   <ii_install_dir>/java/bin/java -version
   * Rename the java directory to java__<version>, substitute <version> with the version number of the current java.
   Windows
   move <ii_install_dir>\java <ii_install_dir>\java<version>
   Linux/AIX
   mv <ii_install_dir>/java <ii_install_dir>/java_<version>

4. Extract the downloaded file under <ii_install_dir>. A ‘jdk-17.0.11+9’ is placed under <ii_install_dir>.

5. Rename ‘jdk-17.0.11+9’ to ‘java’.
   Windows
   move <ii_install_dir>\jdk-17.0.11+9 <ii_install_dir>\java
   Linux/AIX
   mv <ii_install_dir>/jdk-17.0.11+9 <ii_instal_dir>/java

6. If Liberty Server connects to DB2 database in SSL, add sslVersion parameter in db.xml file.
   <dataSource id=“DefaultDataSource” jndiName=“jdbc/pipeline” type=“javax.sql.DataSource”>
   <jdbcDriver libraryRef=“DB2Lib”/>
   <properties.db2.jcc databaseName=“dbName”
   serverName=“dbHost”
   user=“db2User”
   password=“dbUserPwd”
   portNumber=“dbPort”
   **sslVersion=“TLSv1.2” **ssLConnection=“true” />
   </dataSource>

7. Verify the updated Java is used in Identity Insight.
   * Restart Liberty Server.
   Windows
   <ii_install_dir>\bin\startIIServer.bat
   Linux/AIX
   <ii_install_dir>/bin/startIIServer
   * View <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. Java used by Liberty Server is shown at the beginning of the file.

Workarounds and Mitigations

None