IBM Security Verify

 View Only
  • 1.  ISAM 9.0.7.1 IF 5 CVE-2020-4329

    Posted Wed October 21, 2020 04:32 PM
    Hello Team,

    We are at ISAM 9.0.7.1 IF 5. We got a new vulnerability related to embedded liberty server.
    Any assistance would be helpful.

    The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.46, 8.0 prior to 8.0.0.16, 8.5 prior to 8.5.5.18, 9.0 prior to 9.0.5.4, or 17.0.0.3 (Liberty) prior to 20.0.0.5 could allow a remote, authenticated attacker to obtain sensitive information, caused by improper parameter checking. This could be exploited to conduct spoofing attacks. (CVE-2020-4329).

    Installed version : 19.0.0.7
    Fixed version : 20.0.0.5 or Interim Fix PH20847

    Thanks,
    Bipin


    ------------------------------
    Bipin Dash
    ------------------------------


  • 2.  RE: ISAM 9.0.7.1 IF 5 CVE-2020-4329

    Posted Wed October 21, 2020 05:22 PM
    Hello Bipin,

    ISAM 9.0.7.2 has Liberty version 20.0.0.6 embedded as per the following technote:
    https://www.ibm.com/support/pages/node/6339189

    ISVA 10.0.0.1 has Liberty version 20.0.0.6 embedded as per the following technote:
    https://www.ibm.com/support/pages/node/6339229

    Upgrade to either ISAM 9.0.7.2 or ISVA 10.0.0.1 at your earliest convenience.

    Security fixes will not be backported.

    Here is the link to acquire ISAM 9.0.7.2:
    https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.7.1&platform=Linux&function=fixId&fixids=9.0.7-ISS-ISAM-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http

    Here is the link to acquire ISVA 10.0.0.1:
    https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Access&release=9.0.7.1&platform=Linux&function=fixId&fixids=10.0.0-ISS-ISVA-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: ISAM 9.0.7.1 IF 5 CVE-2020-4329

    Posted Wed October 21, 2020 05:31 PM
    Thank you Jack! Appreciate your prompt response.

    ------------------------------
    Bipin Dash
    ------------------------------



  • 4.  RE: ISAM 9.0.7.1 IF 5 CVE-2020-4329

    Posted Fri October 23, 2020 06:08 AM
    Does 9.0.7.2 include the fix for the backups? In previous versions, the restore wouldn't work, and we had to install APAR IJ24066.

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 5.  RE: ISAM 9.0.7.1 IF 5 CVE-2020-4329

    Posted Fri October 23, 2020 12:12 PM

    Hello Joao,

    As per the following list of APARs fixed in 9.0.7.2 : 

    https://www.ibm.com/support/pages/node/6339189

    IJ24066

    ISAM SNAPSHOTS WHEN APPLIED FAILS WITH ERROR


    So yes, it's included.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------