IBM Support

Security Bulletin: IBM Cloud Manager with Openstack XSS in Swift vulnerability (CVE-2014-3497)

Created by Le Tian Ren on

Security Bulletin


Summary

The OpenStack Swift server included in IBM Cloud Manager with Openstack is vulnerable to a XSS attack.

Vulnerability Details

CVE ID: CVE-2014-3497

Description: OpenStack Swift is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/94089 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

Cloud Manager with OpenStack 4.1.0

Remediation/Fixes

Product

VRMFAPARRemediation/First FixRequired Action
Cloud Manager with OpenStack4.1.0NoneCloud Manager with OpenStack 4.1.0.3 Fix Pack:
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Cloud+Manager+with+Openstack&release=4.1.0.2&platform=All&function=fixId&fixids=+4.1.0.3-IBM-CMWO-FP03+&includeSupersedes=0
Cloud Manager with OpenStack 4.1.0.3 Fix Pack:
http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400001884

Workarounds and Mitigations

Only IBM Cloud Manager with Openstack configurations using Swift are affected.

Get Notified about Future Security Bulletins

References

Off

Change History

24 October 2014: Revised for clarity
23 September 2014: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SST55W","label":"IBM Cloud Manager with OpenStack"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 August 2018

UID

isg3T1021238