Security Bulletin: IBM Sterling B2B Integrator Standard Edition does not correctly restrict frame objects

Summary

IBM Sterling B2B Integrator Standard Edition does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

Vulnerability Details

CVEID:CVE-2023-42011
**DESCRIPTION:**IBM Sterling B2B Integrator Standard Edition does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265508 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

B2Bi has already has X-FRAME-OPTIONS: SAMEORIGIN response header, which means that the content in an iFrame needs to come from same host to which the http request is made. So the B2Bi page can’t be embedded in an iFrame in attacker’s web site unless the attacker has the access to the web server that hosts B2Bi, which means they would have to be an administrator. Please note that this fix is already part of the affected releases of B2Bi and no update or patch is required.

Workarounds and Mitigations

• Provide careful separation of duties between Server administrator and B2Bi privileged users who have access to B2Bi’s dashboard.
• No patch or update is required to B2Bi because the affected releases already contain the restricting header.