Security Bulletin: Vulnerability in system log on IBM DataPower Gateways WebGUI (CVE-2017-1591)

Summary

A potential cross-site scripting vulnerability exists in the DataPower system log. IBM has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2017-1591**
DESCRIPTION:** IBM WebSphere DataPower Appliances is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132368 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM DataPower Gateways appliances, versions through 7.0.0.0-7.0.0.19, 7.1.0.0-7.1.0.18, 7.2.0.0-7.2.0.15, 7.5.0.0-7.5.0.9, 7.5.1.0-7.5.1.8, 7.5.2.0-7.5.2.8, 7.6.0.0

Remediation/Fixes

Fix is available in versions 7.0.0.20, 7.1.0.19, 7.2.0.16, 7.5.0.10, 7.5.1.9, 7.5.2.9, 7.6.0.1. Refer to APAR IT22119 for URLs to download the fix.

You should verify applying this fix does not cause any compatibility issues.

For DataPower customers using versions 6.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None