IBM Support

Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console

Security Bulletin


Summary

Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console. TWAS pen testing uncovered an issue with the admin console that allows Client-side HTTP Parameter Pollution. The user must be navigating the affected resources. Client-side HTTP parameter pollution (HPP) vulnerabilities arise when an application embeds user input in URLs in an unsafe manner. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify URLs within the response by inserting additional query string parameters and sometimes overriding existing ones. This may result in links and forms having unexpected side effect. In this case it is possible to inject and execute arbitrary JavaScript but it does require that the user click the link for this reason Coalfire has decreased severity from High to Low.Affects: WAS VE 7.0, WAS ND 8.5, 9.0 See bulletin for fixpack and ifix details.

Vulnerability Details

CVEID:   CVE-2019-4271
DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability. IBM X-Force ID: 160243.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160243 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
InfoSphere Master Data Management11.6

Remediation/Fixes

For V9.0.0.0 through 9.0.0.11:Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH12533 --OR--· Apply WebSphere Fix Pack 9.0.5.0 or later.

Workarounds and Mitigations

For V9.0.0.0 through 9.0.0.11:Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH12533 --OR--· Apply WebSphere Fix Pack 9.0.5.0 or later.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

WebSphere Security Bulletin Link: https://www-01.ibm.com/support/docview.wss?uid=ibm10884040

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

18 May 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWSR9","label":"IBM InfoSphere Master Data Management"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF048","label":"SUSE"},{"code":"PF033","label":"Windows"}],"Version":"11.6","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
27 April 2022

UID

ibm16454143

Page Feedback