Lucene search

IBM6580FF0F6E1B9FDCCA4C0D8CBDC1E270F5C28E1B2677AFCAECB8514A2100238D

HistoryNov 28, 2022 - 7:13 p.m.

Security Bulletin: Digital Certificate Manager for IBM i is vulnerable to cross-site scripting (CVE-2022-34358)

2022-11-2819:13:58

www.ibm.com

cross-site scripting vulnerability

ibm i

digital certificate manager

cve-2022-34358

ptf

credentials disclosure

version 7.5

7.4

7.3

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

19.8%

JSON

Summary

Digital Certificate Manager for IBM i is vulnerable to a cross-site scripting issue in the old web application as described in the vulnerability details section. IBM i has addressed the applicable CVE with a fix to the Digital Certificate Manage web application as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2022-34358
**DESCRIPTION:**IBM i is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230516 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM i	7.5
IBM i	7.4
IBM i	7.3
IBM i	7.2

Remediation/Fixes

The original reported issue can be fixed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers contain the fix for the vulnerability.

IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SI80415| SI80415
7.4| SI80414| SI80414
7.3| SI80413| SI80413
7.2| SI80412| SI80412

Additional URLs were identified that can be used for a cross-site scripting attack resulting in superseded PTFs.

The IBM i superseding PTF numbers contain the fix for the vulnerability.

IBM i Release| 5770-SS1
PTF Number| PTF Download Link
—|—|—
7.5| SI81854| SI81854
7.4| SI81853| SI81853
7.3| SI81852| SI81852
7.2| SI81845| SI81845

It is recommended that the heritage version of Digital Certificate Manager not be used.
PTFs are available that disable the heritage version of Digital Certificate Manager.
IBM i releases 7.5, 7.4, and 7.3 will be disabled.

The IBM i PTF numbers to disable heritage version of Digital Certificate Manager.

IBM i Release| 5770-DG1
PTF Number| PTF Download Link
—|—|—
7.5| SI81417| SI81417
7.4| SI81418| SI81418
7.3| SI81419| SI81419

<https://www.ibm.com/support/fixcentral>

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

Instead of using the heritage version of Digital Certificate Manager, it is recommended to use the new IBM Digital Certificate Manager for i user interface by specifying this URL: http://systemname:2001/dcm

Affected configurations

Vulners

Node

ibmplanning_analyticsMatch7.5.0

ibmiMatch7.5.0

ibmiMatch7.4.0

ibmiMatch7.3.0

ibmiMatch7.2.0

ibmplanning_analyticsMatch7.2.0

ibmplanning_analyticsMatch7.4.0

ibmplanning_analyticsMatch7.3.0

CPENameOperatorVersion
ibm i 7.5 preventative service planningeq7.5.0
ibm ieq7.5.0
ibm ieq7.4.0
ibm ieq7.3.0
ibm ieq7.2.0
ibm i 7.2 preventative service planningeq7.2.0
ibm i 7.4 preventative service planningeq7.4.0
ibm i 7.3 preventative service planningeq7.3.0

Name	Operator	Version
ibm i 7.5 preventative service planning	eq	7.5.0
ibm i	eq	7.5.0
ibm i	eq	7.4.0
ibm i	eq	7.3.0
ibm i	eq	7.2.0
ibm i 7.2 preventative service planning	eq	7.2.0
ibm i 7.4 preventative service planning	eq	7.4.0
ibm i 7.3 preventative service planning	eq	7.3.0