IBM Support

Security Bulletin: IBM StoredIQ is affected by potential Host Header Injection (CVE-2019-4166)

Security Bulletin


IBM StoredIQ is affected by potential Host Header Injection on StoredIQ Dataserver

Vulnerability Details

CVEID: CVE-2019-4166
DESCRIPTION: IBM StoredIQ could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Affected Products and Versions

Affected Product Affected Versions
IBM StoredIQ -


Product VRMF Remediation / First Fix
IBM StoredIQ - No fix is required, but the configuration needs to be updated as described in Workarounds and Mitigations.

Workarounds and Mitigations

Securing StoredIQ Data Server against possible host header injection vulnerabilities

There are several vulnerabilities that may be exploited by host header injection attacks. These vulnerabilities can be mitigated on the StoredIQ Data Server by a simple configuration change.

  1. Open a command-line terminal session to the Data Server and login as root.
  2. Navigate to the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.
  3. Back up the file located in this directory.
  4. Edit the file in the /usr/lib/python6/site-packages/deepfile/ui/djangoweb directory.
  5. Locate the line that starts with ALLOWED HOSTS.
  6. In the ALLOWED_HOSTS entry, supply the data server's IP address, and the data server's host name. For example, if the data server's IP address were and the hostname were, the ALLOWED HOSTS line should look like this:
    ALLOWED_HOSTS = ['','']
    If your data server has multiple IP addresses or multiple host names (or both), you can add them to the ALLOWED_HOSTS entry list.
  7. Save the file.
  8. Restart the AppServer service to pick up the new configuration by executing the following command:
    monit restart AppServer -c /etc/deepfile/monitrc

The data server should now be protected against known host header injection attacks. For more information about the ALLOWED_HOSTS entry in the file, visit this URL:

Note that securing the data server in this manner means that URLs employed in browsers to access the data server user interface must use one of the IP addresses or host names listed in the ALLOWED_HOSTS entry of the file.

Get Notified about Future Security Bulletins



Change History

26 April 2019: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document Location


[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSSHEC","label":"StoredIQ"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
26 April 2019