Security Bulletin: 3RD PARTY IBM InfoSphere MDM Inspector - Cross Site Request Forgery

Summary

In the MDM Inspector web application, CSRF protection is implemented by validating that the referer header is set to a allowlisted domain. It is possible to include the allowlisted domain as a subdomain of an attacker-controlled domain to bypass this validation, allowing for a CSRF attack to be launched from the attacker-controlled domain. Example attacker-domain that would be accepted by an Inspector application hosted on example.internal: example.internal.attacker.com. As the validation is not performed on the entirety of the referer header, the application will accept example.internal.attacker.com as a valid referer, allowing for CSRF to be performed from this domain.

Vulnerability Details

CVEID:CVE-2020-4675
**DESCRIPTION:**IBM InfoSphere Master Data Management Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186324 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Approach 1 : Client can avoid security(psirt) issue, by giving proper allowlist-param in web.xml. i.e. its ended by ‘/’
eg: instead of <https://accounts.google.com> -—>> <https://accounts.google.com>/

Approach 2: Apply iFix provided by MDM team

Workarounds and Mitigations

Approach 1 : Client can avoid security(psirt) issue, by giving proper allowlist-param in web.xml. i.e. its ended by ‘/’
eg: instead of <https://accounts.google.com> -—>> <https://accounts.google.com>/