ESB-2018.3544 - [Win][Linux][IBM i][HP-UX][Solaris][AIX] IBM WebSphere Application Server Installation Verification Tool: Cross-site scripting - Existing account 2018-11-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3544
            Cross-site scripting vulnerability in Installation
             Verification Tool of WebSphere Application Server
                             13 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Application Server Installation Verification Tool
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   IBM i
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Cross-site Scripting -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1643  

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10716857

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Cross-site scripting vulnerability in Installation
Verification Tool of WebSphere Application Server (CVE-2018-1643)

Security Bulletin

Document information
Software version: 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Software edition: Advanced, Base, Developer, Enterprise, Express, Network
Deployment, Single Server
Reference #: 0716857
Modified date: 12 November 2018

Summary

There is a potential cross-site scripting vulnerability with the Installation
Verification Tool of IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2018-1643
DESCRIPTION: The Installation Verification Tool of IBM WebSphere Application
Server is vulnerable to cross-site scripting. This vulnerability allows users
to embed arbitrary JavaScript code in the Web UI thus altering the intended
functionality potentially leading to credentials disclosure within a trusted
session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere
Application Server:

  * Version 9.0
  * Version 8.5
  * Version 8.0

Remediation/Fixes

On a standalone application server profile, the "ivtApp" application is used by
the Installation Verification Tool (IVT). The IVT verifies that the
installation of the product and the application server is successful. On a
standalone application server, the IVT queries servlets from the "ivtApp"
application.

The IVT is invoked manually by a user either through the firststeps console or
through the ivt.bat/sh script.

For more information regarding the Installation Verification tool, see the
knowledge center document "Using the installation verification tool" 

The application is also available as an installable Enterprise Application aR
chive (EAR) file which is located at <WAS_HOME>/installableApps/ivtApp.ear.

The fix delivers updates to the ivtApp.ear under the installableApps directory
as well as the standalone application profile template which is used for
profile creation so that new profiles are deployed with the updated "ivtApp".

However, it will require manual steps from an administrator/user to update a
profile/server-configuration that has already had the ivtApp.ear deployed
either from profile creation or by an administrator/user. This is due to the
requirement of an administrator/user to administer changes to the profile/
server-configuration.

If there is no need for the ivtApp then it may be simply uninstalled.

The recommended solution is to apply the interim fix, Fix Pack or PTF
containing APAR PI98558 for each named product as soon as practical. 

NOTE:  Manual steps may need to be taken after applying the Interim Fix
depending on your environment.  See below for the steps.

For WebSphere Application Server traditional and WebSphere Application Server
Hypervisor Edition:
For V9.0.0.0 through 9.0.0.8:
- - Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PI98558
- --OR--
- - Apply Fix Pack 9.0.0.9 or later.

For V8.5.0.0 through 8.5.5.13:
- - Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PI98558
- --OR--
- - Apply Fix Pack 8.5.5.14 or later.

For V8.0.0.0 through 8.0.0.15:
- - Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PI98558

WebSphere Application Server V8 is no longer in full support; IBM recommends
upgrading to a fixed, supported version/release/platform of the product.

MANUAL STEPS:

If there is no need for the ivtApp then it may be simply uninstalled.

If there requires further need for the ivtApp then it should be updated or
uninstalled and reinstalled with the updated ivtApp.ear from <WAS_HOME>/
installableApps/ivtApp.ear

If it is a standalone application server environment. Please administer your
changes through the standalone application server(s).

If it is a Network Deployment environment. Please administer your changes
through the deployment manager server(s).

Please review the notes at the end of this article before proceeding for more
information.

Using the administrative console through the browser

  * To uninstall the application if present, see "Uninstalling enterprise
    applications using the console": https://www.ibm.com/support/
    knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/
    trun_app_uninst.html
  *  To (re-)install the application, see "Installing enterprise application
    files with the console": https://www.ibm.com/support/knowledgecenter/
    SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/
    trun_app_instwiz.html
  * To update the application if present, see "Updating enterprise applications
    with the console": https://www.ibm.com/support/knowledgecenter/en/
    SSAW57_8.5.5/com.ibm.websphere.nd.multiplatform.doc/ae/
    trun_app_upgrade_console.html

Using the AdminApp command through the wsadmin tool        

  * To uninstall the application if present, see  "Uninstalling enterprise
    applications using the wsadmin scripting tool": https://www.ibm.com/support
    /knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/
    txml_uninstall.html
  *  To install the application, see "Installing enterprise applications using
    wsadmin scripting": https://www.ibm.com/support/knowledgecenter/en/
    SSEQTP_9.0.0/com.ibm.websphere.base.doc/ae/txml_callappinstall.html
  *  To update the application if present, see "Updating installed applications
    using the wsadmin scripting tool": https://www.ibm.com/support/
    knowledgecenter/en/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/
    txml_updatingapp.html

Note: When the ivtApp.ear is deployed as part of profile creation, the
application is named "ivtApp". If an administrator/user has deployed the
application afterwards (i.e in a federated configuration) using the default
application name, the application can be named "IVT Application".
Alternatively, an administrator/user could have deployed the application with
an application name of their choice.

Note: When a standalone application server (e.g. AppSrv01) that was created
with the "ivtApp" federates its" node to a Deployment Manager, the
configuration with the "ivtApp" is not migrated into the new federated
configuration. However, the old configuration is saved and when the node is
unfederated the original configuration is restored which will contain the
"ivtApp" that was deployed from profile creation.

Acknowledgement

The vulnerability was reported to IBM by Mingxuan Song

Change History

12 November 2018: original document published

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+obvGaOgq3Tt24GAQi05w//WAwK+pyYs+0tm6lfA7WOjl52iUrl2OIs
xCcrrPzh7CsyP2oIjxDzvwNn/S2dZyAnVsER3qVy6RLrVWKbGWqjrZcApjJtFc8Q
CYelXPLVPPm74ko/nlb9ZV4/MgmNIfuaZ+wSaZo+V9dDn30iYgzzcplD4sVkqvQ5
gcYriugSvBg04TCBh3jsgZfV/TiRcQK0pqg+p5a7ZMI/xPEJNqvp7GQvt/RfAwcX
DTSJnUQB/Bf9ULqliMjc9jvG9bqBsocGs8rw+HaE1I2NR8daRb9rolx23pR4kCb9
/ULYpe0DnQQTVa9D7n4eHVPiRMnKEIHEr/xqYUVgh1jUo7N9ayhGEMqb5+OwBwzD
fneGbxo4UET66digE6ybnYKHPzsWJnn2dxZByt1afBYwzixdyFcHDfCC8c2+knID
BaRkAUhpLNHb3Wq+2hNPqUmU4+LydMQQPo7yo2Ee/i4bPErKxBc5vqOZIDUwkucf
U456Y6fWCpJ3vm4vOH++kJV5jscbTNlNVE2mUwrK7MDdR3BtIQGcdIsWFPCqkklA
HQ3If7z9PnPIDKRylmw/+0ymjTguS+VwpynXjF3gJiW6L6Xl+33mODTYVn+j1X+s
VdWEiDw7OMKzoMzR+8SpxJCQL8aDKHPxuyYEEfwRfShbKuIKaMwQvniMATa+W2tZ
XXzSGpOn+Lc=
=xqSE
-----END PGP SIGNATURE-----

« Back to bulletins