FileNet Workplace is susceptible to the Open Redirection Vulnerability.
Relevant CVE Information:
DESCRIPTION: IBM FileNet Workplace could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)
Affected Products and Versions
FileNet Workplace 4.0.2
Refer to the Workarounds and Mitigations section below.
Workarounds and Mitigations
First, upgrade to Workplace 188.8.131.52 IF001 (184.108.40.206-P8AE-IF001).
Then, to avoid the Open Redirection vulnerability, ensure that only the Workplace Baseline URL is used to access pages.
This is configured in the securityFilter.xml file, generally located in the install path under the Workplace/WEB-INF directory.
List all applicable Workplace Baseline URLs in the urlWhitelist section.
You may specify SSL and/or non-SSL URLs in the following format:
Workplace Baseline URLs that are not included in the urlWhitelist section will be filtered out and not used.
Get Notified about Future Security Bulletins
This vulnerability was reported to IBM by Roshan Thomas at secvibe.com
22 July 2016: Original version published
4 October 2016: Updated links
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
17 June 2018