Security Bulletin: IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting (XSS) Attack (CVE-2017-1199)

Summary

IBM InfoSphere Master Data Management is vulnerable to a cross-site scripting (XSS) Attack and could allow users to embed arbitrary JavaScript code in the Web UI and lead to disclosure of credentials.

Vulnerability Details

CVEID: CVE-2017-1199**
DESCRIPTION:** IBM InfoSphere Master Data Management Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123674 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability is known to affect the following offerings:

Affected IBM InfoSphere Master Data Management Server

|

Affected Versions

—|—
IBM InfoSphere Master Data Management Server| 10.1
IBM InfoSphere Master Data Management Server| 11.0
IBM InfoSphere Master Data Management Server| 11.3
IBM InfoSphere Master Data Management Server| 11.4
IBM InfoSphere Master Data Management Server| 11.5
IBM InfoSphere Master Data Management Server| 11.6

Remediation/Fixes

The recommended solution is to apply the fix as soon as practical. Please see below for information on how to apply the fix:

If you have customized the UI and the source code is already available skip step #1 and #2.

1. Locate the com.ibm.mdm.sample.ds.webapp.ear.zip file from MDM sample.
2. Import the projects into RAD and follow Downloading, configuring and deploying the sample
3. Open SessionFilter.java from CommonUIModel
- In doFilter method add the below code provided code at line number 75

httpResponse.setHeader(“Content-Security-Policy”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’; style-src ‘self’ ‘unsafe-inline’”);
//#Used by Firefox until version 23, and Internet Explorer version 10 (which partially implements Content Security Policy).
httpResponse.setHeader(“X-Content-Security-Policy”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’; style-src ‘self’ ‘unsafe-inline’”);
//Used by Chrome until version 25
httpResponse.setHeader(“X-WebKit-CSP”, “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’; connect-src ‘self’; img-src ‘self’; style-src ‘self’ ‘unsafe-inline’”);
//<https://www.owasp.org/index.php/List_of_useful_HTTP_headers&gt;
httpResponse.setHeader(“X-Content-Type-Options”,“nosniff”);
httpResponse.setHeader(“X-XSS-Protection”,“1”);
//one year = 31536000
httpResponse.setHeader(“Strict-Transport-Security”,“max-age=31536000”);

- After the code changes are done build all projects

4. Export CustomerDataStewardship as EAR
Then From RAD, File -> Export -> Ear File (Under Java EE)
in EAR Export wizard
- select EAR Project name as ‘CustomerDataStewardship’
- Then provide the destination , that earfile name
5. Deploy the this new exported EAR on server
Note: Before installing EAR on server make sure ClientAuthentication.properties and mdmUIConfiguration.properties of propertiesUI.jar have valid connection properties.

Workarounds and Mitigations

None