IBM Support

Security Bulletin: A security vulnerability has been idenfied in jQuery which affects DataQuant for z/OS (CVE-2019-11358)

Created by Rita Zimmer on
Published URL:
https://www.ibm.com/support/pages/node/1103991
1103991

Security Bulletin


Summary

A security vulnerability has been identified in jQuery that could affect DataQuant for z/OS.

Vulnerability Details

CVSS Base Score: 6.1
DESCRIPTION: jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Affected Products and Versions

Principal Products and Versions
DataQuant for z/OS 2.1

Remediation/Fixes

Steps to update jQuery – DataQuant

  1. Download the compressed, jQuery version 3.4.1 from below link -

https://code.jquery.com/jquery-3.4.1.min.js

2.    Open WebSphere server Administrative console and stop the DataQuant application, if it is running

3.    Go to file system directory where WebSphere server has installed the Data Quant for WebSphere application and navigate till “plugins” directory

Example plugins directory path:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\QMFWebSphere122_war.ear\QMFWebSphere122.war\WEB-INF\eclipse\plugins

4.          Select the folder which name starts with “com.ibm.bi.reporter_” and copy it to a temp directory

5.          Within the temp backup directory in step # 4 above, navigate to “reporter-config/html5/scripts” directory

6.          Delete jquery-1.11.3.min.js and place the downloaded file - jquery-3.4.1.min.js received in step # 1

7.          Go to reporter-config/html5 directory

8.          Update “index.html”, “index_android.html” and “index_ios.html” files using text editor and to point to new jQuery file as below:

<script type="text/javascript" src="{1}/html5/scripts/jquery-1.11.3.min.js"></script>

To be updated with:

              <script type="text/javascript" src="{1}/html5/scripts/jquery-3.4.1.min.js"></script>

9.           Copy the updated folder into the plugins directory path as per step # 3 & step #4

10.         Start the DataQuant application in WebSphere Administrative console

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSAUQR","label":"IBM DataQuant for z\/OS"},"Component":"","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"2.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
12 February 2021

UID

ibm11103991