Security Bulletin: IBM Security Network Protection is affected by ClickJacking vulnerability CVE-2014-6197

Summary

A ClickJacking (also known as a “UI redress attack”) vulnerability has been discovered in IBM Security Network Protection.

Vulnerability Details

CVE-ID:CVE-2014-6197

Description: A clickjacking vulnerability in IBM Security Network Protection could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim’s click actions or launch further attacks on the system.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98609 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

**Products:IBM Security Network Protection****(XGS)**models 3100, 4100, 5100, 7100

Firmware versions: 5.1, 5.1.1, 5.1.2, 5.1.2.1, 5.2, 5.3

Remediation/Fixes

IBM has provided patches for versions 5.2 and 5.3. Follow the installation instructions in the README files included with the patch.

5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0005 for IBM Security Network Protection products at version 5.2
http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0005&continue=1

5.3.0.0-ISS-XGS-All-Models-Hotfix-FP0001 for IBM Security Network Protection products at version 5.3
http://www-933.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=5.3.0.0-ISS-XGS-All-Models-Hotfix-FP0001&continue=1

For the 5.1.x versions of Network Protection, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None