IBM Support

Security Bulletin: IBM StoredIQ is affected by potential Host Header Injection (CVE-2019-4166)

Security Bulletin


Summary

IBM StoredIQ is affected by potential Host Header Injection on StoredIQ Dataserver

Vulnerability Details

CVEID: CVE-2019-4166
DESCRIPTION: IBM StoredIQ could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158699 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Affected Products and Versions

Affected Product Affected Versions
IBM StoredIQ 7.6.0.0. - 7.6.0.18

Remediation/Fixes

Product VRMF Remediation / First Fix
IBM StoredIQ 7.6.0.0. - 7.6.0.18 No fix is required, but the configuration needs to be updated as described in Workarounds and Mitigations.

Workarounds and Mitigations

Securing StoredIQ Data Server against possible host header injection vulnerabilities

There are several vulnerabilities that may be exploited by host header injection attacks. These vulnerabilities can be mitigated on the StoredIQ Data Server by a simple configuration change.

  1. Open a command-line terminal session to the Data Server and login as root.
  2.  Navigate to the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.
  3. Back up the settings.py file located in this directory.
  4. Edit the settings.py file in the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.
  5. Locate the line that starts with ALLOWED HOSTS.
  6. In the ALLOWED_HOSTS entry, supply the data server's IP address, and the data server's host name. For example, if the data server's IP address were 192.0.2.10 and the hostname were dataserver.example.com, the ALLOWED HOSTS line should look like this:
    ALLOWED_HOSTS = ['192.0.2.10','dataserver.example.com']
    If your data server has multiple IP addresses or multiple host names (or both), you can add them to the ALLOWED_HOSTS entry list.
  7. Save the settings.py file.
  8. Restart the AppServer service to pick up the new configuration by executing the following command:
    monit restart AppServer -c /etc/deepfile/monitrc

The data server should now be protected against known host header injection attacks. For more information about the ALLOWED_HOSTS entry in the settings.py file, visit this URL:
                https://docs.djangoproject.com/en/2.2/ref/settings/#allowed-hosts

Note that securing the data server in this manner means that URLs employed in browsers to access the data server user interface must use one of the IP addresses or host names listed in the ALLOWED_HOSTS entry of the settings.py file.


Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

26 April 2019: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: StoredIQ

Software version: 7.6

Operating system(s): Appliance

Reference #: 0881404

Modified date: 26 April 2019