IBM8F674CAFA2F6BEA08D77E136CC0F848C7AEDC8F3F563916EBD430276A18BC2EDSecurity Bulletin: Updating Java in Identity Insight 9.0.0.1 for security update
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.0%
Summary
Identity Insight customers are advised to update OpenJDK 8 to version 8.0.412 for the security update in Java.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM InfoSphere Identity Insight | 9.0.0.1 |
Remediation/Fixes
The listed vulnerabilityy issues are addressed.
| CVE-ID | Description |
|---|---|
| CVE-2024-21094 | |
| CVE-2024-21085 | |
| CVE-2024-21011 | An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality impact, low integrity impact, and low availability impact. |
| CVE-2024-20952 | An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high confidentiality impact and high integrity impact. |
| CVE-2024-20945 | An unspecified vulnerability in Java SE related to the VM component could allow a local authenticated attacker to cause high confidentiality impact. |
| CVE-2024-20926 | An unspecified vulnerability in Java SE related to the Scripting component could allow a remote attacker to cause high confidentiality impact. |
| CVE-2024-20921 | |
| CVE-2024-20919 | |
| CVE-2024-20918 | An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality impact and high integrity impact. |
| CVE-2023-38264 | IBM SDK, Java Technology Edition’s Object Request Broker (ORB) is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. |
| CVE-2023-33850 | IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information. |
| CVD-2023-5676 | In Eclipse OpenJ9 before version 0.41.0, the JVM can be forced into an infinite busy hang on a spinlock or a segmentation fault if a shutdown signal (SIGTERM, SIGINT or SIGHUP) is received before the JVM has finished initializing. |
Steps
This section provides instructions on how to upgrade OpenJDK used in IBM InfoSphere Identity Insight (II) 9.0.0.1 to OpenJDK 8u412.
-
Download OpenJDK 8.0.412 for the desired platform.
* Windows: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u412-b08_openj9-0.44.0/ibm-semeru-open-jdk_x64_windows_8u412b08_openj9-0.44.0.zip>
* Linux: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u412-b08_openj9-0.44.0/ibm-semeru-open-jdk_x64_linux_8u412b08_openj9-0.44.0.tar.gz>
* AIX: <https://github.com/ibmruntimes/semeru8-binaries/releases/download/jdk8u412-b08_openj9-0.44.0/ibm-semeru-open-jdk_ppc64_aix_8u412b08_openj9-0.44.0.tar.gz> -
Stop Liberty Server.
Windows
<ii_install_dir>\bin\stopIIServer.bat
Linux/AIX
<ii_install_dir>/bin/stopIIServer -
Backup the java directory in the <ii_install_dir> by renaming it.
* Find out what version of the current java in <ii_install_dir>.
Windows
<ii_instal_dir>\java\jre\bin\java -version
Linux/AIX
<ii_install_dir>/java/jre/bin/java -version
* Rename the java directory to java__<version>, substitute <version> with the version number of the current java.
Windows
move <ii_install_dir>\java <ii_install_dir>\java<version>
Linux/AIX
mv <ii_install_dir>/java <ii_install_dir>/java_<version> -
Extract the downloaded file under <ii_install_dir>. A ‘jdk8u412-b08’ is placed under <ii_install_dir>.
-
Rename ‘jdk8u412-b08’ to ‘java’
Windows
move <ii_install_dir>\jdk8u412-b08 <ii_install_dir>\java
Linux/AIX
mv <ii_install_dir>/jdk8u412-b08 <ii_instal_dir>/java -
Verify the updated Java is used in Identity Insight.
* Restart Liberty Server.
Windows
<ii_install_dir>\bin\startIIServer.bat
Linux/AIX
<ii_install_dir>/bin/startIIServer
* View <ii_install_dir>/wlp/usr/servers/iiServer/logs/messages.log. Java used by Liberty Server is shown at the beginning of the file.
Workarounds and Mitigations
None
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| infosphere identity insight | eq | 9.0.0.1 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.8 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
43.0%