IT27939: VULNERABILITY FOUND DURING PENETRATION TEST

Direct links to fixes

IBM Spectrum Control 5.2.17.3 - Windows Server
IBM Spectrum Control 5.2.17.3 - Linux Server
IBM Spectrum Control 5.2.17.3 - Agents
IBM Spectrum Control 5.2.17.3 - AIX Server

APAR status

Closed as program error.

Error description

DETAIL OF PROBLEM:
The IBM Spectrum Control GUI is vulnerable by XSS attack on the
notification settings page.
It is possible that the page can be injected by malicious code.
The code will not keep in the page, but will be activated by
enter the HTML that the victim will get and that holds the
vulnerabilities parameters.

RECREATE STEPS:
In the IBM Spectrum Control GUI - Settings - Alert Notifications
(email)
Fill out the user name with the malicious code:
<img src=xonerror=alert()>

Local fix

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* IBM Spectrum Control 5.2.x and 5.3.x users                   *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* The IBM Spectrum Control GUI is vulnerable by XSS attack on  *
* the                                                          *
* email configuration settings on the notification settings    *
* page.                                                        *
*                                                              *
* It is possible that the page can be injected by malicious    *
* code.                                                        *
* The code will not keep in the page, but will be activated by *
* enter the HTML that the victim will get and that holds the   *
* vulnerabilities parameters.                                  *
****************************************************************
* RECOMMENDATION:                                              *
* Apply fix maintenance when available                         *
****************************************************************

Problem conclusion

The fix for this APAR is contained in the following releases:

IBM Spectrum Control 5.2.17.3 | 5.2.17-TIV-TPC-FP0003 | May 2019

IBM Spectrum Control 5.3.2 | 5.3.2-IBM-SC | Feb 2019

http://www.ibm.com/support/docview.wss?&uid=swg21320822

Temporary fix

Comments

APAR Information

APAR number
IT27939
Reported component name
TPC ADVANCED
Reported component ID
5608TPCA0
Reported release
52B
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-01-31
Closed date
2019-05-06
Last modified date
2019-05-07

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

```
WAS
```

Fix information

Fixed component name
TPC ADVANCED
Fixed component ID
5608TPCA0

Applicable component levels

[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSNECY","label":"Tivoli Storage Productivity Center Advanced"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"52B"}]

Document Information

Modified date:
24 June 2022

Tips

IT27939: VULNERABILITY FOUND DURING PENETRATION TEST

Direct links to fixes

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

Document Information

Share your feedback

Need support?