Security Bulletin: Vulnerabilites CVE-2018-25031 and CVE-2021-46708 in WebSphere Application Server Liberty affect IBM CICS TX Advanced

Summary

WebSphere Application Server Liberty is used by IBM CICS TX Advanced to provide a web based administration console and to provide web services support. The fix removes vulnerabilities CVE-2018-25031 that allows a remote attacker to conduct spoofing attacks and CVE-2021-46708 that allows a remote attacker to hijack the clicking action of the victim.

Vulnerability Details

CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-46708
**DESCRIPTION:**npm swagger-ui-dist could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217359 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends you apply the following fixes

Product

|

Version

|

Defect

|

Remediation /First Fix

—|—|—|—

IBM CICS TX Advanced

|

11.1

|

127738

|

Fix Central Link

IBM CICS TX Advanced

|

10.1

|

127738

|

Fix Central Link

Workarounds and Mitigations

None