IBM Support

JR59280: Information Server WEB APPLICATION LOGIN PAGES HAS A CROSS FRAMESCRIPTING (XFS) VULNERABILITY

A fix is available

Download the mod pack for IBM InfoSphere Information Server 11.7.1.0 In-Place Upgrade

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • System is vulnerable for the Cross-Frame Scripting (XFS) attack
that combines malicious
JavaScript with an iframe that loads a legitimate page in an
effort to steal data from an unsuspecting user. This attack is
usually only successful when combined with social engineering.
The fix is to use the X-FRAME-OPTIONS response header value (set
to value SAMEORIGIN or DENY) for the login windows.

CVSS Base Score: 6.1
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/139360 for
the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

APAR RECOMMENDATION:
Please refer to the Security bulletin for remediation:
http://www-01.ibm.com/support/docview.wss?uid=swg22014911

Local fix

  • N/A

Problem summary

  • *********************************************
APAR Users Affected:
*********************************************
InfoSphere Information Governance Catalog users.

*********************************************
APAR Problem Description:
*********************************************
To fix the Login Pages from cross frame scripting (XFS)
vulnarability. Cross-Frame Scripting (XFS) is an attack that
combines malicious JavaScript with an iframe that loads a
legitimate page in an effort to steal data from an unsuspecting
user.

*********************************************
APAR Recommendation:
*********************************************
Refer to the Security bulletin for remediation:
http://www-01.ibm.com/support/docview.wss?uid=swg22014911

*********************************************

Problem conclusion

  • Apply the fix for JR59280

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    JR59280
    • 

  • Reported component name
    IS GOVCATLOG
    • 

  • Reported component ID
    5724Q36GC
    • 

  • Reported release
    B70
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2018-03-19
    • 

  • Closed date
    2018-06-01
    • 

  • Last modified date
    2018-06-01
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    IS GOVCATLOG
    • 

  • Fixed component ID
    5724Q36GC
    • 



Applicable component levels


    

  • RB31  PSY
       UP
    • 

  • RB50  PSY
       UP
    • 

  • RB70  PSY
       UP
    • 








      
              
                            

              

              [{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.7"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            02 September 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback