IBM Support

Security Bulletin: IBM Initiate Master Data Service, IBM InfoSphere Master Data Management Standard and Advanced Editions are affected by Cross Site Scripting vulnerabilities in IBM Dojo Toolkit (CVE-2014-8917)

Created by Ray Brandt on
Published URL:
https://www.ibm.com/support/pages/node/525561
525561

Security Bulletin


Summary

IBM Web applications using file uploader services of IBM Dojo Toolkit might be subject to Cross Site Scripting vulnerability, caused by improper validation of user-supplied input.

Vulnerability Details

CVEID: CVE-2014-8917
DESCRIPTION: IBM Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99303for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM InfoSphere MDM Reference Data Management Versions 11.4, 11.3, 11.0, 10.1.

InfoSphere MDM Probabilistic Matching Engine for InfoSphere BigInsights Versions 11.0 and 11.3.

InfoSphere Big Match for Hadoop version 11.4

InfoSphere Initiate Master Data Service ( Inspector component and Web Reports component) versions 10.1,10.0, 9.7 and 9.5.

InfoSphere Master Data Management ( Inspector component and Web Reports component) versions 11.4, 11.3 and 11.0.

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.

ProductVRMFAPARRemediation/First Fix
IBM InfoSphere Reference Data Management
11.4
None11.4-FP2
IBM InfoSphere Reference Data Management
11.3
None11.3-FP2
IBM InfoSphere Reference Data Management
11.0
None11.0-FP3
IBM InfoSphere Reference Data Management
10.1
None10.1-IF1
InfoSphere MDM Probabilistic Matching Engine for InfoSphere BigInsights
11.0
None11.0-FP1
InfoSphere MDM Probabilistic Matching Engine for InfoSphere BigInsights
11.3
None11.3-FP2
InfoSphere Big Match for Hadoop
11.4
None11.4-FP2
InfoSphere Initiate Master Data Service
9.5
None9.5.032215
InfoSphere Initiate Master Data Service
9.7
None9.7.032215
InfoSphere Initiate Master Data Service
10.0
None10.0.032215
InfoSphere Initiate Master Data Service
10.1
None10.1.032215
InfoSphere Master Data Management
11.0
None11.0-FP3
InfoSphere Master Data Management
11.3
None11.3-FP2

IWM Samples
InfoSphere Master Data Management
11.4
None11.4-FP2

IWM Samples

Get Notified about Future Security Bulletins

References

Off

Change History

06-February-2015: Original version published.
26-February-2015: Remediations/Fixes updated with RDM 11.3 FP2 link
10-March-2015: Remediations/Fixes updated with MDM 11.3 FP2 link(s)
12-March-2015: Affected Products and Versions updated.
23-March-2015: Remediations/Fixes updated.
08-April-2015: Remediations/Fixes updated with RDM 11.4 11.0 10.1 links.
09-April-2015: Remediations/Fixes updated with PME 11.0 11.3 and BigM 11.4 links

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSWSR9","label":"IBM InfoSphere Master Data Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.0;10.0.0;10.1;10.1.0;11.0;11.0.0;11.3;9.0;9.1;11.4;9.7;9.5;9.2","Edition":"Standard Edition;Advanced Edition","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSPVUA","label":"IBM InfoSphere Master Data Management Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSLVY3","label":"Initiate Master Data Service"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
27 April 2022

UID

swg21695767