A security vulnerability has been identified in jQuery that could affect DataQuant for z/OS.
CVEID:CVE-2019-11358
CVSS Base Score: 6.1
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
DataQuant for z/OS 2.1
Steps to update jQuery – DataQuant
https://code.jquery.com/jquery-3.4.1.min.js
2. Open WebSphere server Administrative console and stop the DataQuant application, if it is running
3. Go to file system directory where WebSphere server has installed the Data Quant for WebSphere application and navigate till “plugins” directory
Example plugins directory path:
C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\QMFWebSphere122_war.ear\QMFWebSphere122.war\WEB-INF\eclipse\plugins
4. Select the folder which name starts with “com.ibm.bi.reporter_” and copy it to a temp directory
5. Within the temp backup directory in step # 4 above, navigate to “reporter-config/html5/scripts” directory
6. Delete jquery-1.11.3.min.js and place the downloaded file - jquery-3.4.1.min.js received in step # 1
7. Go to reporter-config/html5 directory
8. Update “index.html”, “index_android.html” and “index_ios.html” files using text editor and to point to new jQuery file as below:
<script type=“text/javascript” src=“{1}/html5/scripts/jquery-1.11.3.min.js”></script>
To be updated with:
<script type=“text/javascript” src=“{1}/html5/scripts/jquery-3.4.1.min.js”></script>
9. Copy the updated folder into the plugins directory path as per step # 3 & step #4
10. Start the DataQuant application in WebSphere Administrative console
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm dataquant for z/os | eq | 2.1 |