Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3121
Information disclosure for IBM Infosphere Identity Insight
15 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: InfoSphere Identity Insight
InfoSphere Global Name Management
Publisher: IBM
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2019-4433
Original Bulletin:
https://www.ibm.com/support/docview.wss?uid=ibm10958079
https://www.ibm.com/support/docview.wss?uid=ibm10958081
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Information disclosure for IBM Infosphere Identity Insight
Document information
Software version: 8.1, 9.0
Operating system(s): Platform Independent
Reference #: 0958079
Modified date: 14 August 2019
Summary
There is a potential information disclosure vulnerability in Identity Insight
when using web services. The information disclosure is due to an XML external
entity (XXE) vulnerability.
Vulnerability Details
CVEID: CVE-2019-4433
DESCRIPTION: IBM InfoSphere Global Name Management is vulnerable to an XML
External Entity Injection (XXE) attack when processing XML data. A remote
attacker could exploit this vulnerability to expose sensitive information or
consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
162890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
IBM InfoSphere Identity Insight 9.0
IBM InfoSphere Identity Insight 8.1
Remediation/Fixes
IBM InfoSphere Identity Insight 9.0
To fix this vulnerability:
1. Create the file <Identity Insight install root>/java/jre/lib directory/
jaxp.properties . Typically there is already a file named
jaxp.properties.sample in that directory, with all of its contents
commented out. Copy that file to a file named jaxp.properties, or create an
empty file with that name. Then append the following lines to the end of
the file:
# For security, do not allow external DTDs, schemas, or stylesheets
javax.xml.accessExternalDTD=""
javax.xml.accessExternalSchema=""
javax.xml.accessExternalStylesheet=""
IBM InfoSphere Identity Insight 8.1
To fix this vulnerability:
1. Download and install InfoSphere Identity Insight 8.1.0.4 iFix005 or greater
from IBM Fix Central.
Change History
09 August 2019: original document published
14 August 2019: Updated acknowledgement
- --------------------------------------------------------------------------------
Security Bulletin: Information disclosure for IBM Infosphere Global Name
Management
Document information
Component: Enterprise Name Search
Software version: 5.0, 6.0
Operating system(s): Platform Independent
Reference #: 0958081
Modified date: 14 August 2019
Summary
There is a potential information disclosure vulnerability in Global Name
Management when using Enterprise Name Search. The information disclosure is due
to an XML external entity (XXE) vulnerability. Customers not using Enterprise
Name Search are not affected.
Vulnerability Details
CVEID: CVE-2019-4433
DESCRIPTION: IBM InfoSphere Global Name Management is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/162890 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
Affected Products and Versions
IBM InfoSphere Global Name Management 6.0
IBM InfoSphere Global Name Management 5.0
Remediation/Fixes
IBM Infosphere Global Name Management 6.0
To fix this vulnerability:
1. Create the file <ENS install root>/java/jre/lib/jaxp.properties . Typically
there is already a file named jaxp.properties.sample in that directory,
with all of its contents commented out. Copy that file to a file named
jaxp.properties, or create an empty file with that name. Then append the
following lines to the end of the file:
# For security, do not allow external DTDs, schemas, or stylesheets
javax.xml.accessExternalDTD=""
javax.xml.accessExternalSchema=""
javax.xml.accessExternalStylesheet=""
IBM Infosphere Global Name Management 5.0
To fix this vulnerability:
1. Download and install IBM Infosphere Global Name Management 5.0.0.1 iFix008
or greater from IBM Fix Central.
Acknowledgement
The vulnerability was reported to IBM by Jose Castro Almeida.
Change History
09 August 2019: original document published
14 August 2019: Updated acknowledgement
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVTZm2aOgq3Tt24GAQgEKBAAjDPwlq3BYWt4c79oy+o7chGzlUNxTQwd
4eRa+Kn21OzTEFNuX/ISQfhEXyyIB1LwxZWY6v7PUHquNd70W5gCsfXw/aCD4nSQ
8VIT2q3J2c7fheWVr7sYK+/Bbr6qYIMTyhwbZVRVZGVibggVqT7UyaOHJe2QVYfS
j/9jwNve/E//v33ERKMFUfJlBCUOUq0RICt9rZEnfJIz8mCggdevWm0w5ofMCm9A
VKutRjhAO3dQSGRWVxrYNqF1wEI0BU4IXUvYdWJ+W4jwOcFHvmDOcnvzQq4E4Pvc
nMnQIt+h3v8tFU3Kh86hsq6hTDSX00viR2qpqs35YzLLt1mMW0jO4AmngGnAR3E4
aVbkPu0A4bqK8oHXaxiR1pgU29m2RBe0KShgQvRH0OXxHcUjsebJXk1Fz9jFmzVe
7uwFuczej1IIfldNWYssRUqSvXhXri2Dia7JmMZa4PRmbITLUiAt0QDPLtfks65K
fiEV0209mE8VCmGY1N/uSpHru1h4yLOuD+/OkUO5Puma+6PkoguBIN5/bcXOw8D1
5guHaJHkGoFl9C5gKpXG57vu5t+mpijOg7di7TbOxVbgxRpTes0M+PMCvHz02T85
HF8VrOMnDODPaIMVm3rvkRBfUpdrMgK+o3xRPohwZKO9qXcL0XyuOCjNNhNczYJg
zsrGKzPTwWw=
=CdRI
-----END PGP SIGNATURE-----