Security Bulletin: IBM StoredIQ is affected by potential Host Header Injection (CVE-2019-4166)
IBM StoredIQ is affected by potential Host Header Injection on StoredIQ Dataserver
DESCRIPTION: IBM StoredIQ could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
Affected Products and Versions
Affected Products and Versions
|Affected Product||Affected Versions|
|IBM StoredIQ||22.214.171.124. - 126.96.36.199|
|Product||VRMF||Remediation / First Fix|
|IBM StoredIQ||188.8.131.52. - 184.108.40.206||No fix is required, but the configuration needs to be updated as described in Workarounds and Mitigations.|
Workarounds and Mitigations
Securing StoredIQ Data Server against possible host header injection vulnerabilities
There are several vulnerabilities that may be exploited by host header injection attacks. These vulnerabilities can be mitigated on the StoredIQ Data Server by a simple configuration change.
- Open a command-line terminal session to the Data Server and login as root.
Navigate to the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.
- Back up the settings.py file located in this directory.
- Edit the settings.py file in the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.
- Locate the line that starts with ALLOWED HOSTS.
- In the ALLOWED_HOSTS entry, supply the data server's IP address, and the data server's host name. For example, if the data server's IP address were 192.0.2.10 and the hostname were dataserver.example.com, the ALLOWED HOSTS line should look like this:
ALLOWED_HOSTS = ['192.0.2.10','dataserver.example.com']
If your data server has multiple IP addresses or multiple host names (or both), you can add them to the ALLOWED_HOSTS entry list.
- Save the settings.py file.
- Restart the AppServer service to pick up the new configuration by executing the following command:
monit restart AppServer -c /etc/deepfile/monitrc
The data server should now be protected against known host header injection attacks. For more information about the ALLOWED_HOSTS entry in the settings.py file, visit this URL:
Note that securing the data server in this manner means that URLs employed in browsers to access the data server user interface must use one of the IP addresses or host names listed in the ALLOWED_HOSTS entry of the settings.py file.
Get Notified about Future Security Bulletins
26 April 2019: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.