Summary

There is a potential information disclosure vulnerability in Identity Insight when using web services. The information disclosure is due to an XML external entity (XXE) vulnerability.

Vulnerability Details

CVEID: CVE-2019-4433 DESCRIPTION: IBM InfoSphere Global Name Management is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162890&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)

Affected Products and Versions

IBM InfoSphere Identity Insight 9.0

IBM InfoSphere Identity Insight 8.1

Remediation/Fixes

IBM InfoSphere Identity Insight 9.0

To fix this vulnerability:

1. Create the file <Identity Insight install root>/java/jre/lib directory/jaxp.properties . Typically there is already a file named jaxp.properties.sample in that directory, with all of its contents commented out. Copy that file to a file named jaxp.properties, or create an empty file with that name. Then append the following lines to the end of the file:

For security, do not allow external DTDs, schemas, or stylesheets

javax.xml.accessExternalDTD=“”
javax.xml.accessExternalSchema=“”
javax.xml.accessExternalStylesheet=“”

IBM InfoSphere Identity Insight 8.1

To fix this vulnerability:

1. Download and install InfoSphere Identity Insight 8.1.0.4 iFix005 or greater from IBM Fix Central.