Security Bulletin
Summary
An insecure third party domain access vulnerability in IBM InfoSphere Information Server was addressed.
Vulnerability Details
DESCRIPTION: IBM InfoSphere Information Server could allow an attacker to obtain sensitive information due to a insecure third party domain access vulnerability.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| InfoSphere Information Server | 11.7 |
Remediation/Fixes
| Product | VRMF | APAR | Remediation/First Fix |
| InfoSphere Information Server, Information Server on Cloud | 11.7 | JR63905 | --Apply IBM InfoSphere Information Server version 11.7.1.0 --Apply IBM InfoSphere Information Server version 11.7.1.3 --WebSphere Application Server (WAS) cookies need to be updated as indicated. |
1. LTPAToken2 cookies
This applies to WAS Network Deployment and WAS Liberty installations.
LTPAToken2 cookies are used to authenticate with web applications across multiple WebSphere Application Servers. To support Single Sign On (SSO), it is essential that they are visible from everywhere. Hence, they are set to the root path and there is no option to alter the path name.
For information on SSO to minimize web user authentications, see
https://www.ibm.com/docs/en/was/9.0.5?topic=users-implementing-single-sign-minimize-web-user-authentications
Note that form login mechanisms for web applications require that SSO is enabled. If needed, use this topic to configure single sign-on for the first time.
The names of the LTPAToken and LTPAToken2 cookies can be changed on the servers to get the same behavior as setting the cookie path. This results in the cookies not being visible from the servers where the cookie name was not changed.
2. JSESSIONID cookie
For WAS Network Deployment:
See https://www.ibm.com/support/pages/setting-httponly-and-secure-flags-websphere-application-server-cookies
In WAS Administration console, navigate to
servers > server types > WebSphere application servers > server1 > container settings > session management > Enable cookies > Cookie path > set cookie path
Set the cookie path to /ibm/iis
For WAS Liberty:
The server.xml file in <IIS_INSTALL_LOCATION>/wlp/usr/servers/iis needs to be updated.
Change
<httpSession InvalidateOnUnauthorizedSessionRequestException="true" allowOverflow="true" cookieHttpOnly="true" cookieName="IIS-JSESSIONID" cookieSecure="true" cookiesEnabled="true" invalidationTimeout="1800" maxInMemorySessionCount="1000" securityIntegrationEnabled="true"/>
to
<httpSession InvalidateOnUnauthorizedSessionRequestException="true" allowOverflow="true" cookieHttpOnly="true" cookieName="IIS-JSESSIONID" cookieSecure="true" cookiesEnabled="true" cookiePath="/ibm/iis" invalidationTimeout="1800" maxInMemorySessionCount="1000" securityIntegrationEnabled="true"/>
Restart Liberty WebSphere.
Workarounds and Mitigations
Get Notified about Future Security Bulletins
References
Change History
29 Oct 2021: Initial Publication
15 Feb 2022: Added additional steps to change WebSphere cookies
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
15 February 2022
UID
ibm16509616