IBM Support

Security Bulletin: Cross-site scripting and privilege escalation vulnerabilities in WebSphere Application Server Liberty affect IBM Spectrum Protect Operations Center (CVE-2018-1767, CVE-2018-1901)

Created by Robyn Stillwell on
Published URL:
https://www.ibm.com/support/pages/node/883132
883132

Security Bulletin


Summary

IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting and escalation of privileges which can affect IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center.

Vulnerability Details

CVEID: CVE-2018-1767
DESCRIPTION: IBM WebSphere Application Server Cachemonitor is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148621 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2018-1901
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152530 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

The following levels of IBM Spectrum Protect (formerly Tivoli Storage Manager) Operations Center are affected:

  • 8.1.0.000 through 8.1.7.xxx
  • 7.1.0.000 through 7.1.9.100

Remediation/Fixes

IBM Spectrum Protect
Operations Center Release
First Fixing
VRM Level
Platform Link to Fix
            8.1 8.1.8 AIX
Linux
Windows
           7.1
7.1.9.200
AIX
Linux
Windows

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

CVE-2018-1767 vulnerability was reported to IBM by vah13

Change History

28 June 2019 - original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Advisory 12873 Record 124222 and
Advisory 13768 Record 127797

Document Location

Worldwide

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Operations Center","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.1;7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Component":"Operations Center","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
28 June 2019

UID

ibm10883132