ESB-2018.3526 - [Win][Linux][IBM i][HP-UX][Solaris][AIX] IBM WebSphere Application Server: Cross-site scripting - Remote with user interaction 2018-11-09

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3526
   Potential cross-site scripting vulnerability in WebSphere Application
           Server using SIBMsgMigration Utility (CVE-2018-1798)
                              9 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Application Server
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   IBM i
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Cross-site Scripting -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1798  

Original Bulletin: 
   https://www.ibm.com/support/docview.wss?uid=ibm10730703

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Potential cross-site scripting vulnerability in WebSphere
Application Server using SIBMsgMigration Utility (CVE-2018-1798)

Security Bulletin

Document information
Software version: 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Software edition: Advanced, Base, Developer, Enterprise, Express, Network
Deployment, Single Server
Reference #: 0730703
Modified date: 08 November 2018

Summary

Potential cross-site scripting vulnerability in WebSphere Application Server
using Message Migration Utility (SIBMsgMigration). The Message Migration
Utility is not deployed by default. You are only at risk if you have deployed
the application.

Vulnerability Details

CVEID: CVE-2018-1798
DESCRIPTION: IBM WebSphere Application Server is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149428 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere
Application Server:

  * Version 9.0
  * Version 8.5
  * Version 8.0
  * Version 7.0

Remediation/Fixes

If the SIBMsgMigrationUtility is deployed on your system, it can be safely
removed.  It is a utility that has not been used since WebSphere Application
Server Version 6.   If the utility was installed with the product (it was an
optional feature) it will be located in the installableApps directory.  You may
remove the utility or use the interim fix below which will replace it with a
non-functioning version.

The recommended solution is to apply the interim fix, Fix Pack or PTF
containing the APAR for each named product as soon as practical.

For WebSphere Application Server traditional and WebSphere Application Server
Hypervisor Edition:


For V9.0.0.0 through 9.0.0.9:

  * Remove the SIBMsgMigrationUtility

- --OR--

  * Upgrade to minimal fix pack levels as required by interim fix and then
    apply Interim Fix PH03492

- --OR--

  * Apply Fix Pack 9.0.0.10 or later (targeted availability 4Q 2018).

 

For V8.5.0.0 through 8.5.5.14:

  * Remove the SIBMsgMigrationUtility

- --OR--

  * Upgrade to minimal fix pack levels as required by interim fix and then
    apply Interim Fix PH03492

- --OR--

  * Apply Fix Pack 8.5.5.15 or later (targeted availability 1Q 2019).

 

For V8.0.0.0 through 8.0.0.15:

  * Remove the SIBMsgMigrationUtility

- --OR--

  * Upgrade to 8.0.0.15  and then apply Interim Fix PH03492

 

For V7.0.0.0 through 7.0.0.45:

  * Remove the SIBMsgMigrationUtility

 

WebSphere Application Server V7 and V8 are no longer in full support; IBM
recommends upgrading to a fixed, supported version/release/platform of the
product.

Acknowledgement

The vulnerability was reported to IBM by Benoit Ct-Jodoin

Change History

08 November 2018: original document published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+TdL2aOgq3Tt24GAQjCohAAsTtvfm101oEC7Wp3RTybmdMuhos7Ki4p
qJeJHQhcS5hZyV2sZwB+MeBdazfqcCwSh+8HcI51hOT8frkasqESPNoQM3CQFSfT
krucGf0Fzx/Kw8l/qVshU9jV6N1mgfayD/WjGmPci6BJEWY+dXpBw4ZQkIJS8x+7
/au25zwe/udnWME03JJ3gRJrd936W5EIf7Ip85uuBLBDVP+LUCwvrTDm5U5maLwb
m28Bdjg/CGqy6r86K+dBqOpETwxCM7ioPCzLCpc/zAbXJi9fH+W9TYIfHadaYz0e
6dOkOhynjMCC3k4ABFMjP96hMtx//KXcJIIYEAHX9VoTfv7tWakPvenalh5zrH5c
bVzoiZz5/xJ6b/sEglwPM9JDDjoUaLtYpF3Ad26fs5j8UwLcCAQL86ou28R2JPkn
4d+s4wZUYSLPhvAK1RNPJn+51/5Su1KYeS1DhYDtnAodbnwhW7wveNzvakEG8rlx
DcH9z16XJgTicUXx/s+rAUQVWixUyEo96bmsWfQhnlz68LPjr829yt+Rn3iHp59a
ttM4sMDqYoynuNzibiRDFTDG1QI0xZYm4A2vrTtRVoiumVnPhfeP2qa5YIFM5eC5
im40MerQYojNWaDOJRnpl5DagF/j9uzz/7pb8rjYgmYz6eKzRVFYBFt2fZOY3daP
j/KdF0e2MfE=
=/y5Y
-----END PGP SIGNATURE-----

« Back to bulletins