Security Bulletin
Summary
A remote code execution vulnerability exists in the Spring Security OAuth version used by IBM Spectrum Symphony 7.2.1 and 7.2.0.2. Interim fixes that provide instructions on upgrading the Spring Security OAuth package to version 2.0.18 (which resolves this vulnerability) are available on IBM Fix Central.
Vulnerability Details
Description: Spring Security OAuth could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using redirect_uri parameter in a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base Score: 7.4
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/162650 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
Affected Products and Versions
IBM Spectrum Symphony 7.2.1
IBM Spectrum Symphony 7.2.0.2
Remediation/Fixes
Download the interim fixes that correspond to your product version from IBM Fix Central, then follow the steps in the accompanying readme to apply the interim fix on Linux x86_64 hosts in your cluster:
|
IBM Spectrum Symphony 7.2.1 (x86_64) |
|
|
IBM Spectrum Symphony 7.2.0.2 (x86_64) |
Workarounds and Mitigations
None.
Get Notified about Future Security Bulletins
References
Change History
July 3, 2019: Original version.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
03 July 2019
UID
ibm10888399