Security Bulletin: Multiple IBM InfoSphere Information Server components are affected by a vulnerability in IBM Dojo Toolkit (CVE-2014-8917)

Summary

Multiple components of IBM InfoSphere Information Server may be affected by an XSS vulnerability in IBM Dojo Toolkit.

Vulnerability Details

CVE-ID:CVE-2014-8917

DESCRIPTION: IBM Dojo Toolkit is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/99303 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM Infosphere Cognos TM1 Connector: version 11.3
IBM InfoSphere Metadata Asset Manager: versions 8.7 to 11.3
IBM InfoSphere Information Server Business Glossary: versions 8.1 to 11.3
IBM InfoSphere DataStage Operations Console: versions 8.7 to 11.3
IBM InfoSphere Data Quality Console: versions 9.1 to 11.3
IBM InfoSphere Information Analyzer: versions 8.7 to 11.3
IBM InfoSphere DataClick: version 9.1

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Information Server and components| 11.3| JR52127
JR52145
JR52264| --Apply IBM InfoSphere Information Server version 11.3.1.1
InfoSphere Information Server and components| 9.1| JR52127
JR52145
JR52264| --Apply IBM InfoSphere Information Server version 9.1.2.0
--Apply IBM InfoSphere Metadata Asset Manager Security Patch
--Apply the IBM InfoSphere Information Server Business Glossary Security Patch
--Apply the IBM InfoSphere DataStage Operations Console Security Patch
--Apply the IBM InfoSphere Data Quality Console Security Patch
--Apply the IBM InfoSphere Information Analyzer Security Patch
--Apply the IBM InfoSphere DataClick Security Patch
InfoSphere Information Server and components| 8.7| JR52127
JR52145
JR52264| --Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2
--Apply the IBM InfoSphere Metadata Asset Manager Security Patch
--Apply the IBM InfoSphere Information Server Business Glossary Security Patch
--Apply the IBM InfoSphere DataStage Operations Console Security Patch
--Apply the IBM InfoSphere Information Analyzer Security Patch
InfoSphere Information Server and components| 8.5| JR52145| --Apply IBM InfoSphere Information Server version 8.5 Fix Pack 3
--Apply the IBM InfoSphere Business Glossary Security Patch
InfoSphere Information Server and components| 8.1| JR52145| IBM InfoSphere Business Glossary Customers should contact IBM customer support

Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.

Workarounds and Mitigations

None