IBM Support

JR59280: Information Server WEB APPLICATION LOGIN PAGES HAS A CROSS FRAMESCRIPTING (XFS) VULNERABILITY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • System is vulnerable for the Cross-Frame Scripting (XFS) attack
    that combines malicious
    JavaScript with an iframe that loads a legitimate page in an
    effort to steal data from an unsuspecting user. This attack is
    usually only successful when combined with social engineering.
    The fix is to use the X-FRAME-OPTIONS response header value (set
    to value SAMEORIGIN or DENY) for the login windows.
    
    CVSS Base Score: 6.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/139360 for
    the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
    
    APAR RECOMMENDATION:
    Please refer to the Security bulletin for remediation:
    http://www-01.ibm.com/support/docview.wss?uid=swg22014911
    

Local fix

  • N/A
    

Problem summary

  • *********************************************
    APAR Users Affected:
    *********************************************
    InfoSphere Information Governance Catalog users.
    
    *********************************************
    APAR Problem Description:
    *********************************************
    To fix the Login Pages from cross frame scripting (XFS)
    vulnarability. Cross-Frame Scripting (XFS) is an attack that
    combines malicious JavaScript with an iframe that loads a
    legitimate page in an effort to steal data from an unsuspecting
    user.
    
    *********************************************
    APAR Recommendation:
    *********************************************
    Refer to the Security bulletin for remediation:
    http://www-01.ibm.com/support/docview.wss?uid=swg22014911
    
    *********************************************
    

Problem conclusion

  • Apply the fix for JR59280
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR59280

  • Reported component name

    IS GOVCATLOG

  • Reported component ID

    5724Q36GC

  • Reported release

    B70

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2018-03-19

  • Closed date

    2018-06-01

  • Last modified date

    2018-06-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IS GOVCATLOG

  • Fixed component ID

    5724Q36GC

Applicable component levels

  • RB31 PSY

       UP

  • RB50 PSY

       UP

  • RB70 PSY

       UP

[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.7"}]

Document Information

Modified date:
02 September 2021