IBM InfoSphere Master Data Management is vulnerable to a cross-site scripting (XSS) Attack and could allow users to embed arbitrary JavaScript code in the Web UI and lead to disclosure of credentials.
CVEID: CVE-2017-1199**
DESCRIPTION:** IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
This vulnerability is known to affect the following offerings:
Affected IBM InfoSphere Master Data Management Server
|
Affected Versions
—|—
IBM InfoSphere Master Data Management Server| 10.1
IBM InfoSphere Master Data Management Server| 11.0
IBM InfoSphere Master Data Management Server| 11.3
IBM InfoSphere Master Data Management Server| 11.4
IBM InfoSphere Master Data Management Server| 11.5
IBM InfoSphere Master Data Management Server| 11.6
The recommended solution is to apply the fix as soon as practical. Please see below for information on how to apply the fix:
If you have customized the UI and the source code is already available skip step #1 and #2.
1. Locate the com.ibm.mdm.sample.ds.webapp.ear.zip file from MDM sample.
2. Import the projects into RAD and follow Downloading, configuring and deploying the sample
3. Open SessionFilter.java from CommonUIModel
- In doFilter method add the below code provided code at line number 75
httpResponse.setHeader(“Content-Security-Policy”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’; style-src ‘self’ ‘unsafe-inline’”);
//#Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
httpResponse.setHeader(“X-Content-Security-Policy”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’; style-src ‘self’ ‘unsafe-inline’”);
//Used by Chrome until version 25
httpResponse.setHeader(“X-WebKit-CSP”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’; style-src ‘self’ ‘unsafe-inline’”);
//<https://www.owasp.org/index.php/List_of_useful_HTTP_headers>
httpResponse.setHeader(“X-Content-Type-Options”,“nosniff”);
httpResponse.setHeader(“X-XSS-Protection”,“1”);
//one year = 31536000
httpResponse.setHeader(“Strict-Transport-Security”,“max-age=31536000”);
- After the code changes are done build all projects
4. Export CustomerDataStewardship as EAR
Then From RAD, File -> Export -> Ear File (Under Java EE)
in EAR Export wizard
- select EAR Project name as ‘CustomerDataStewardship’
- Then provide the destination , that earfile name
5. Deploy the this new exported EAR on server
Note: Before installing EAR on server make sure ClientAuthentication.properties and mdmUIConfiguration.properties of propertiesUI.jar have valid connection properties.
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | infosphere_master_data_management | 10.1 | cpe:2.3:a:ibm:infosphere_master_data_management:10.1:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 10.1.0 | cpe:2.3:a:ibm:infosphere_master_data_management:10.1.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.0 | cpe:2.3:a:ibm:infosphere_master_data_management:11.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.0.0 | cpe:2.3:a:ibm:infosphere_master_data_management:11.0.0:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.3 | cpe:2.3:a:ibm:infosphere_master_data_management:11.3:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.4 | cpe:2.3:a:ibm:infosphere_master_data_management:11.4:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.5 | cpe:2.3:a:ibm:infosphere_master_data_management:11.5:*:*:*:*:*:*:* |
ibm | infosphere_master_data_management | 11.6 | cpe:2.3:a:ibm:infosphere_master_data_management:11.6:*:*:*:*:*:*:* |