Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.1692 Rational DOORS Web Access is affected Cross-site scripting vulnerability 14 May 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational DOORS Web Access Publisher: IBM Operating System: Linux variants Solaris Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-1975 Reference: ESB-2019.1104 ESB-2019.0818.2 ESB-2019.0106 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10883198 - --------------------------BEGIN INCLUDED TEXT-------------------- Rational DOORS Web Access is affected Cross-site scripting vulnerability Product: Rational DOORS Web Access Component: Configuration Software version: 9.5.1, 9.5.1.1, 9.5.1.2, 9.5.1.3, 9.5.1.4, 9.5.1.5, 9.5.1.6, 9.5.1.7, 9.5.1.8, 9.5.1.9, 9.5.1.10, 9.5.2, 9.5.2.1, 9.5.2.2, 9.5.2.3, 9.5.2.4, 9.5.2.5, 9.5.2.6, 9.5.2.7, 9.5.2.8, 9.5.2.9, 9.6, 9.6.0.1, 9.6.0.2, 9.6.0.3, 9.6.0.4, 9.6.0.5, 9.6.0.6, 9.6.0.7, 9.6.0.8, 9.6.1, 9.6.1.1, 9.6.1.2, 9.6.1.3, 9.6.1.4, 9.6.1.7, 9.6.1.8, 9.6.1.9, 9.6.1.10, 9.6.1.11 Operating system(s): Linux, Solaris, Windows Reference #: 0883198 Security Bulletin Summary Rational DOORS Web Access is affected by a cross-site scripting vulnerability. Vulnerability Details CVEID: CVE-2018-1975 DESCRIPTION: IBM DWA is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 153916 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions Rational DOORS Web Access: 9.5.1 - 9.5.1.10 Rational DOORS Web Access: 9.5.2 - 9.5.2.9 Rational DOORS Web Access: 9.6.0 - 9.6.0.8 Rational DOORS Web Access: 9.6.1 - 9.6.1.11 Remediation/Fixes Upgrade to the fix pack that corresponds to the version of Rational DOORS Web Access that you are running, as shown in the following table. +---------------------------+-----------------------------+ |Rational DOORS version |Upgrade to fix pack | +---------------------------+-----------------------------+ |9.5.1 |9.5.1.11 | |9.5.1.1 - 9.5.1.10 | | +---------------------------+-----------------------------+ |9.5.2 |9.5.2.10 | |9.5.2.1 - 9.5.2.9 | | +---------------------------+-----------------------------+ |9.6.0 |9.6.0.9 | |9.6.0.1 - 9.6.0.8 | | +---------------------------+-----------------------------+ |9.6.1 |9.6.1.12 | |9.6.1.1 - 9.6.1.11 | | +---------------------------+-----------------------------+ For Rational DOORS version 9.5.1.x and earlier, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Workarounds and Mitigations None Change History 10 May 2019: Original version published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXNphr2aOgq3Tt24GAQgzZg/9HpV9EMzLX0DfUH0MJmK+LVAPZ2OPg9GT I18N9twJXwKrm2y3elUIHGx+KSwWNaGKr34BSmNks0QbrJC1qE0xKByRqjpJ4rEv y58Ujvtcpj9Q7eHM5uDMfLr1Dk9Z0XlG6XZb1Jw1JokTx8kvsN2CMTea3baPEIJu szitfBQaEDaCHH8CKgSgDWFNw7uzqQH+Fr5AkO+SNSzehdV20hVILcIMhNQFO27j 0zEtVWxsTVWO2U4lpFKocKZsPL1v0evj6t91O6VxCBp9aicLHtRQsXZVMDxqPYGj v0nz2G5k/1o7b9T6rcs4Kk+3g/TSIjaUdwUP1dw9hveBYC5d3BV8zuh/m+8ZX6dH KtY4HGIePHyy6MsbQkJCLBXssItgLR5W16KpvqFp+VY9curM+h2KmqJgRS3vPY/u kYyk0YBSitkcGTZp4Tu9ZKcEOyT4a3K6e7XJhdevgAX6hpkLDCddNG8ijd495Syj 8C0qhCVUlVXrU2G2QsMtpEKwjaZ23rtqKGG7N/EBw1T4gXi6Qan01uCNFXcN1wV5 PPRIBdbYWqnDPYwNYwdGq8WSDRy0EcJ7V5TvlziSU3HekY4aiODL0oSCDA/pFf8j XWvexURJtacho7p/CPFhdtWpTFT0J4IHArG9no2GAdDnVfJ0sVzsyigTcoNBtpMM qdCZayZCFCc= =8iwy -----END PGP SIGNATURE-----