Hi,
Wanted to know if there’s any difference between e-fix and patching and also process on how to do both the things. As previously we have received e-fix notification for sailpoint which is currently in 8.2p1 version
**[IdentityIQ Authorization of QuickLink Target Identities Vulnerability]
**[IdentityIQ JavaServer Faces File Path Traversal Vulnerability]
Above are the 2 e-fix we have received in a notification. kindly please help
Regards
Amit
An eFix (emergency fix) and a patch in SailPoint IdentityIQ are both used to address issues or bugs within the application. However, they have some differences in their scope and application.
An eFix is a targeted solution that is released to address a specific critical issue or bug in the application. It’s usually released quickly to fix an urgent problem and is applied to a specific version of the software. An eFix often includes minimal testing, as it is usually issued in response to a critical issue that needs immediate resolution.
A patch, on the other hand, is a more comprehensive update to the application. It may contain fixes for several issues or bugs, enhancements, and improvements to existing features. Patches undergo extensive testing to ensure that they do not introduce new issues and are compatible with all varying environments.
In short, an eFix is a quick, targeted fix for a critical issue, while a patch is a broader, more thoroughly tested update that may address multiple issues or improve functionality.
For applying the efixes, you will usually have the read me steps and most of the efixes e-fixes are simply extracting the files into identityiq home directory unless any other steps mentioned explicitly
You can find the read me files for aboves efixes below
IdentityIQ Authorization of QuickLink Target Identities Vulnerability - Compass (sailpoint.com)
IdentityIQ JavaServer Faces File Path Traversal Vulnerability - Compass (sailpoint.com)
For both these steps are common, Extract the e-fix into the root folder of each IdentityIQ instance in the installation and restart servers, however for the second one there is an additional step of modifying the WEB-INF/web.xml, please go through the readme.txt file in the above links.
+
Hi @ayadav_12 you can always verify the efix here. You will see your efix notification here. It’s good practice to visit this page regularly to get updated efix of your version.
IdentityIQ Security Vulnerabilities - Compass (sailpoint.com)
Hi @iamksatish ,
Thanks for sharing the info.
Also, can you please define the complete process or steps for patching and upgradation in production and also what are the pre-requisites we need to do before so we don’t face any issues while doing such activities.
Regards
Amit
Please go through doc attached in below link which is very useful and can answer your questions related to patching
IdentityIQ Upgrade Plan document template - Compass (sailpoint.com)
Also for any major patch upgrades it is always recommended to involve SailPoint Services to confirm your upgrade plan and also make sure you test each and every step/process in lower first before proceeding in production
For E-Fix, as mentioned already in above comments, if you go through readme file you will have all pre-reqs and steps to be followed.
each eFix or patch will contain README.txt file which will contain deatils about the efix and will also contain instruction or steps to deploy.
Hi @iamksatish ,
Can you please provide the thorough analysis for both the vulnerabilities
*[IdentityIQ Authorization of QuickLink Target Identities Vulnerability]
**[IdentityIQ JavaServer Faces File Path Traversal Vulnerability]
What are the changes will be there before and after.in SailPoint. Especially provide the analysis for the 2nd one
Regards
IDMS Team
Both the details are in readme page
For second one
This vulnerability allows access to arbitrary files in the application server
file system due to a path traversal vulnerability in JavaServer Faces (JSF)
2.2.20 documented in CVE-2020-6950. The remediation for this vulnerability
contained in this security fix provides additional changes to the remediation
announced in May 2021 tracked by ETN IIQSAW-3585 and in January 2023 tracked
by ETN IIQFW-336. This vulnerability in IdentityIQ is assigned CVE-2024-2227,
which supersedes CVE-2022-46835.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.