Security Bulletin
Summary
PMQ UI web application sends non-secure cookies over SSL. It may be possible to steal user and session information (cookies) that was sent during an encrypted session.
Vulnerability Details
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Predictive Maintenance and Quality | 1.0.x |
| IBM Predictive Maintenance and Quality | 2.5.x |
| IBM Predictive Maintenance and Quality | 2.0.x |
Remediation/Fixes
In the administrative console: click on Application servers > PMQ_server > Session management > Enable cookies
Then navigate to Application servers > PMQ_server > Session management > cookies and set as below:
- Cookie name: JSESSIONID
- Set session cookies to HTTPOnly to help prevent cross-site scripting attacks.
- Cookie maximum age: Current browser session
- Set cookie path: /
Restart PMQ_server.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
CVEID: CVE-2020-4423
DESCRIPTION: PMQ UI Missing Secure Attribute in Encrypted Session (SSL) Cookie
CVSS Base Score: 4.3
CVSS Temporal Score: Undefined
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Change History
04 Nov 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 April 2025
UID
ibm16379528