Lucene search

K
ibmIBM4D4780E86B114FF56ACCE0A8630D755DC2949636E333C4AAA8BD359E9819825C
HistoryJun 17, 2018 - 12:16 p.m.

Security Bulletin: FileNet Workplace can be affected by the Open Redirection Vulnerability (CVE-2016-3047)

2018-06-1712:16:23
www.ibm.com
9

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

4.9 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

30.7%

Summary

FileNet Workplace is susceptible to the Open Redirection Vulnerability.

Vulnerability Details

Relevant CVE Information: CVEID: CVE-2016-3047**
DESCRIPTION:** IBM FileNet Workplace could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114709 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

FileNet Workplace 4.0.2

Remediation/Fixes

Refer to the Workarounds and Mitigations section below.

Workarounds and Mitigations

First, upgrade to Workplace 4.0.2.14 IF001 (4.0.2.14-P8AE-IF001).
Then, to avoid the Open Redirection vulnerability, ensure that only the Workplace Baseline URL is used to access pages.
This is configured in the securityFilter.xml file, generally located in the install path under the Workplace/WEB-INF directory.
List all applicable Workplace Baseline URLs in the urlallowlist section.
You may specify SSL and/or non-SSL URLs in the following format:

Workplace Baseline URLs that are not included in the urlallowlist section will be filtered out and not used.

CPENameOperatorVersion
filenet content managereq4.0.2

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

4.9 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

0.001 Low

EPSS

Percentile

30.7%

Related for 4D4780E86B114FF56ACCE0A8630D755DC2949636E333C4AAA8BD359E9819825C