Security Bulletin
Summary
A security vulnerability has been identified in jQuery that could affect DataQuant for z/OS.
Vulnerability Details
DESCRIPTION: jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Affected Products and Versions
| Principal Products and Versions |
|---|
| DataQuant for z/OS 2.1 |
Remediation/Fixes
Steps to update jQuery – DataQuant
- Download the compressed, jQuery version 3.4.1 from below link -
https://code.jquery.com/jquery-3.4.1.min.js
2. Open WebSphere server Administrative console and stop the DataQuant application, if it is running
3. Go to file system directory where WebSphere server has installed the Data Quant for WebSphere application and navigate till “plugins” directory
Example plugins directory path:
C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\QMFWebSphere122_war.ear\QMFWebSphere122.war\WEB-INF\eclipse\plugins
4. Select the folder which name starts with “com.ibm.bi.reporter_” and copy it to a temp directory
5. Within the temp backup directory in step # 4 above, navigate to “reporter-config/html5/scripts” directory
6. Delete jquery-1.11.3.min.js and place the downloaded file - jquery-3.4.1.min.js received in step # 1
7. Go to reporter-config/html5 directory
8. Update “index.html”, “index_android.html” and “index_ios.html” files using text editor and to point to new jQuery file as below:
<script type="text/javascript" src="{1}/html5/scripts/jquery-1.11.3.min.js"></script>
To be updated with:
<script type="text/javascript" src="{1}/html5/scripts/jquery-3.4.1.min.js"></script>
9. Copy the updated folder into the plugins directory path as per step # 3 & step #4
10. Start the DataQuant application in WebSphere Administrative console
Workarounds and Mitigations
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
12 February 2021
UID
ibm11103991