Security Update News
Update Information
| Title | Security Bulletin: Updating IBM WebSphere Liberty Profile in Identity Insight for security update |
|---|---|
| Update ID | 15C889A91631821917484807E31D550258875BB6FBCAB47AB403089641432860 |
| Type | ibm |
| Published | 2025-05-13T01:45:45 |
| Last Updated | 2025-05-13T01:45:45 |
Security Impact
| CVSS Score | 9.8 |
|---|---|
| Severity | CRITICAL |
| Attack Vector | NETWORK |
Affected CVEs
- CVE-2023-46158
- CVE-2023-50312
- CVE-2023-50314
- CVE-2024-22329
- CVE-2024-22354
- CVE-2024-25026
- CVE-2025-23184
Update Details
Identity Insight customers are advised to update IBM WebSphere Liberty Profile (WLP) to version 25.0.0.4 for security update in WLP.
## Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
## Affected Products and Versions
Affected Product(s) | Version(s)
—|—
IBM InfoSphere Identity Insight | 9.0.0.1
IBM InfoSphere Identity Insight | 10.0.0.0
## Remediation/Fixes
The listed vulnerability issues are addressed.
CVE-ID | Description
—|—
CVE-2025-23184 | IBM WebSphere Application Server Liberty is vulnerable to a denial of service due to Apache CXF For details, please refer to https://www.ibm.com/support/pages/node/7229079
CVE-2023-50314 | IBM WebSphere Application Server Liberty is vulnerable to information disclosure. The fix is available in WLP 24.0.0.9. Beginning with WLP 24.0.0.9, WebSphere Liberty performs hostname verification on SSL certificates. A new collection of properties can be used to configure or disable the hostname verification behavior. For details, please refer to https://www.ibm.com/support/pages/node/7163230
CVE-2024-25026 | IBM WebSphere Application Server Liberty is vulnerable to a denial of service, caused by sending a specially crafted request.
CVE-2024-22354 | IBM WebSphere Application Server Liberty is vulnerable to an XML External Entity (XXE) attack when processing XML data.
CVE-2024-22329 | IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery.
CVE-2023-50312 | IBM WebSphere Application Server Liberty could provide weaker than expected security for outbound TLS connections.
CVE-2023-46158 | IBM WebSphere Application Server Liberty could provide weaker than expected security due to improper resource expiration handling.
**Steps**
This section provides instructions on how to update WebSphere Liberty Profile used in InfoSphere Identity Insight (II) to WLP 25.0.0.4.
1. Download wlp-base-all-25.0.0.4.jar from Fix Central.
2. Stop Liberty Server
Windows
Linux/AIX
3. Backup the wlp directory in the
* Find out what version of the current wlp in
* Rename the wlp directory to wlp__< version>_, substitute _< version>_ with the version number of the current wlp.
Windows
move
Linux/AIX
mv
4. Extract wlp-base-all-25.0.0.4 JAR file into Identity Insight Installation directory (
java -jar wlp-base-all-25.0.0.4.jar –acceptLicense
5. Copy Liberty Server configuration files to the newly installed WLP directory.
Windows
xcopy /S /I
Linux/AIX
cp -rp
6. Remove ‘workarea’ and ‘tranlog’ directories from the newly installed WLP directory.
Windows
rd /s /q
rd /s /q
Linux/AIX
rm -fr
rm -fr
7. Configure or disable the hostname verification.
Beginning with WLP 24.0.0.9, Liberty performs hostname verification on SSL certificates. When Liberty is acting as a client connecting to an outbound server (such as pipeline, db2 server, ldap server), the runtime now checks to make sure the hostname value from the server certificate’s Subject Alternative Name (SAN) matches the hostname value used when establishing the connection. A new collection of properties can be used to configure or disable the hostname verification behavior. For details, please refer to https://www.ibm.com/support/pages/node/7163230
8. Verify the updated WLP is used in Identity Insight.
* Start Libertyy Server
Windows
Linux/AIX
* Check the WLP version number logged in
## Workarounds and Mitigations
None
##