Lucene search

K
ibmIBM7C6822723C8DED69D9FBC4D1DC69A54DC5A848CD239869AB0C90FC327D194CAA
HistoryFeb 12, 2021 - 9:24 p.m.

Security Bulletin: A security vulnerability has been idenfied in jQuery which affects DataQuant for z/OS (CVE-2019-11358)

2021-02-1221:24:38
www.ibm.com
24

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

Summary

A security vulnerability has been identified in jQuery that could affect DataQuant for z/OS.

Vulnerability Details

CVEID:CVE-2019-11358

CVSS Base Score: 6.1
**DESCRIPTION:**jQuery, as used in Drupal core, is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote authenticated attacker could exploit this vulnerability to execute script in a victim’s Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

Affected Products and Versions

Principal Products and Versions

DataQuant for z/OS 2.1

Remediation/Fixes

Steps to update jQuery – DataQuant

  1. Download the compressed, jQuery version 3.4.1 from below link -

https://code.jquery.com/jquery-3.4.1.min.js

2. Open WebSphere server Administrative console and stop the DataQuant application, if it is running

3. Go to file system directory where WebSphere server has installed the Data Quant for WebSphere application and navigate till “plugins” directory

Example plugins directory path:

C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\QMFWebSphere122_war.ear\QMFWebSphere122.war\WEB-INF\eclipse\plugins

4. Select the folder which name starts with “com.ibm.bi.reporter_” and copy it to a temp directory

5. Within the temp backup directory in step # 4 above, navigate to “reporter-config/html5/scripts” directory

6. Delete jquery-1.11.3.min.js and place the downloaded file - jquery-3.4.1.min.js received in step # 1

7. Go to reporter-config/html5 directory

8. Update “index.html”, “index_android.html” and “index_ios.html” files using text editor and to point to new jQuery file as below:

<script type=“text/javascript” src=“{1}/html5/scripts/jquery-1.11.3.min.js”></script>

To be updated with:

<script type=“text/javascript” src=“{1}/html5/scripts/jquery-3.4.1.min.js”></script>

9. Copy the updated folder into the plugins directory path as per step # 3 & step #4

10. Start the DataQuant application in WebSphere Administrative console

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm dataquant for z/oseq2.1

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N