-
Título
Vulnerability in DOMPurify in One Identity Manager local HTML5 documentation -
Descrição
When installing the Identity Manager Client Tools, there is an option to install a local HTML copy of the product documentation on the target server. The install is also done by default on servers hosting Identity Manager Web Applications.
This documentation was created using 3rd party software where recently a vulnerability in component DOMPurify version 1.0.11 has been detected. -
Resolução
The vulnerability issue was identified as Defect #437475.
A hotfix #437475 can be downloaded from the links below: (please choose the correct hotfix version in accordance with the Identity Manager version installed):
For Identity Manager 8.2 & 8.2.1
Identity Manager 8.2.x Hotfix for Solution 437475 - Vulnerability in DOMPurify
To apply the hotfix to Identity Manager 8.2 & 8.2.1 only:- Extract 443948 Fix vulnerability in DOMPurify.zip into a temp. workfolder
- Start "SoftwareLoader.exe"
- Choose "Import into database"
- Connect to database
- Ensure the "root directory" matches the temp. workfolder
- Select every yellow/orange entry from the tree structure
You can do a multiselect with holding the Shift - Key
You can select single files by using Ctrl/Strg - Key
Both key combinations are possibe together
- You will get a warning that the "root directory" does not contain a One Identity Manager installation.
THIS IS OK. Process with yes.
- Use a change label or not.
- Exit the SoftwareLoader.exe
For Identity Manager 9.0 LTS
Identity Manager 9.0 LTS Hotfix for Solution 437475 - Vulnerability in DOMPurify
To apply the hotfix to Identity Manager 9.0 LTS (CU1-CU3).- Upgrade to 9.0 LTS Cumulative Update 4 (CU4), as this fix has been included in the CU4 update.- If an upgrade is not possible, for 9.0 LTS Cumulative Update (CU) 1, CU 2 and CU 3, Download the Identity Manager transport package and regularly use the Transporter to install the updated documentation files into you Identity Manager database. Afterwards all clients are updated by Auto Update automatically.
For Identity Manager 9.1 & 9.1.1
Identity Manager 9.1.x Hotfix for Solution 437475 - Vulnerability in DOMPurify.
See above for instructions on how to install the hotfix in Identity Manager 9.0 LTS (CU1-CU3).
For Identity Manager 9.2
Identity Manager 9.2 Hotfix for Solution 437475 - Vulnerability in DOMPurify.
See above for instructions on how to install the hotfix in Identity Manager 9.0 LTS (CU1-CU3).
This security Hotfix has been successfully applied to all Identity Manager On Demand and Identity Manager On Demand Starling Edition instances. No further action is required.
-
Solicitação de alteração
437475 -
Informações adicionais
This fix has already been implemented in versions 9.0-CU4, 9.1.2 and 9.2.1