IBM InfoSphere Master Data Management is vulnerable to a X-Frame-Options Header ClickJacking attack a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVEID: CVE-2016-9719**
DESCRIPTION:** IBM InfoSphere Master Data Management Server could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119733 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
This vulnerability is known to affect the following offerings:
Affected IBM InfoSphere Master Data Management Server
|
Affected Versions
—|—
IBM InfoSphere Master Data Management| 10.1
IBM InfoSphere Master Data Management| 11.0
IBM InfoSphere Master Data Management| 11.3
IBM InfoSphere Master Data Management| 11.4
IBM InfoSphere Master Data Management| 11.5
IBM InfoSphere Master Data Management| 11.6
For Inspector and Web Reports the recommended solution is to apply the fix as soon as practical. Please see below for information on the fixes available.
Product**** | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
IBM Initiate Master Data Service |
10.1
| None| 10.1.072717_IM_Initiate_MasterDataService_ALL_Interm Fix
IBM InfoSphere Master Data Management Standard/Advanced Edition|
11.0
| None| 11.0.0.6-MDM-SAE-FP06IF004_ _
IBM InfoSphere Master Data Management Standard/Advanced Edition|
11.3
| None| 11.3.0.6-MDM-SE-AE-FP06IF001
IBM InfoSphere Master Data Management Standard/Advanced Edition|
11.4
| None| 11.4.0.7-MDM-SE-AE-FP07IF002
IBM InfoSphere Master Data Management Standard/Advanced Edition|
11.5
| None| 11.5.0.5-MDM-SAE-FP05IF001
IBM InfoSphere Master Data Management Standard/Advanced Edition|
11.6
| None| 11.6.0.2-MDM-SAE-IF001
For Busines Admin UI the issue can be resolved by applying the fix manually. If the UI has been customized and the source code is already available skip step #1 and #2.
1. Locate the com.ibm.mdm.sample.ba.webapp.ear.zip file from MDM sample.
2. Import the projects into RAD and follow Downloading, configuring and deploying the sample
3. Open SessionFilter.java from CommonUIModel
- In doFilter method add the below code provided code at line number 75
//PSIRT 88737 - X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.
httpResponse.setHeader(“X-Frame-Options”, “SAMEORIGIN”);
- After the code changes do build all
4. Export CustomerBusinessAdmin as EAR
Then From RAD, File -> Export -> Ear File (Under Java EE)
in EAR Export wizard
- select EAR Project name as ‘CustomerBusinessAdmin’
- Then provide the destination , that earfile name
5. Deploy the this new exported EAR on server
Note: Before installing EAR on server make sure ClientAuthentication.properties and mdmUIConfiguration.properties of propertiesUI.jar have valid connection properties.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | infosphere_master_data_management | 10.1 | cpe:2.3:a:ibm:infosphere_master_data_management:10.1:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 10.1.0 | cpe:2.3:a:ibm:infosphere_master_data_management:10.1.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.0 | cpe:2.3:a:ibm:infosphere_master_data_management:11.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.0.0 | cpe:2.3:a:ibm:infosphere_master_data_management:11.0.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.3 | cpe:2.3:a:ibm:infosphere_master_data_management:11.3:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.4 | cpe:2.3:a:ibm:infosphere_master_data_management:11.4:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.5 | cpe:2.3:a:ibm:infosphere_master_data_management:11.5:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.6 | cpe:2.3:a:ibm:infosphere_master_data_management:11.6:*:*:*:*:*:*:* |