Return
-
Title
Vulnerability in DOMPurify in One Identity Manager local HTML5 documentation -
Description
When installing the Identity Manager Client Tools, there is an option to install a local HTML copy of the product documentation on the target server. The install is also done by default on servers hosting Identity Manager Web Applications.
This documentation was created using 3rd party software where recently a vulnerability in component DOMPurify version 1.0.11 has been detected. -
Resolution
The vulnerability issue was identified as Defect #437475.
A hotfix #437475 can be downloaded from the links below: (please choose the correct hotfix version in accordance with the Identity Manager version installed):
For Identity Manager 8.2 & 8.2.1
Identity Manager 8.2.x Hotfix for Solution 437475 - Vulnerability in DOMPurify
To apply the hotfix to Identity Manager 8.2 & 8.2.1 only:- Extract 443948 Fix vulnerability in DOMPurify.zip into a temp. workfolder
- Start "SoftwareLoader.exe"
- Choose "Import into database"
- Connect to database
- Ensure the "root directory" matches the temp. workfolder
- Select every yellow/orange entry from the tree structure
You can do a multiselect with holding the Shift - Key
You can select single files by using Ctrl/Strg - Key
Both key combinations are possibe together
- You will get a warning that the "root directory" does not contain a One Identity Manager installation.
THIS IS OK. Process with yes.
- Use a change label or not.
- Exit the SoftwareLoader.exe
For Identity Manager 9.0 LTS (regardless of which CU is or isn't installed)
Identity Manager 9.0 LTS Hotfix for Solution 437475 - Vulnerability in DOMPurify
To apply the hotfix to Identity Manager 9.0 LTS and higherDownload the Identity Manager transport package and regularly use the Transporter to install the updated documentation files into you Identity Manager database. Afterwards all clients are updated by Auto Update automatically.
For Identity Manager 9.1 & 9.1.1
Identity Manager 9.1.x Hotfix for Solution 437475 - Vulnerability in DOMPurify.
See above for instructions on how to install the hotfix in Identity Manager 9.0 LTS and higher
For Identity Manager 9.2
Identity Manager 9.2 Hotfix for Solution 437475 - Vulnerability in DOMPurify.
See above for instructions on how to install the hotfix in Identity Manager 9.0 LTS and higher
This security Hotfix has been successfully applied to all Identity Manager On Demand and Identity Manager On Demand Starling Edition instances. No further action is required.
-
Change Request
437475 -
Additional Information
This fix has already been implemented in versions 9.1.2 and 9.2.1