Lucene search

IBM836D93514E7B1F842F71CBFB49A09A47448E5AE74332C0B80E6E63A1A12C0AAF

HistoryJun 30, 2020 - 12:27 p.m.

Security Bulletin: Vulnerability in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2020-4303, CVE-2020-4304)

2020-06-3012:27:15

www.ibm.com

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Summary

There is a cross-site scripting vulnerability in the OAuth, OpenID Connect and SAML features. This has been addressed.

Vulnerability Details

CVEID:CVE-2020-4303
**DESCRIPTION:**IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176668.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-4304
**DESCRIPTION:**IBM WebSphere Application Server - Liberty 17.0.0.3 through 20.0.0.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 176670.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176670 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.5.3
Log Analysis	1.3.6.0

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3 and 1.3.6.0	Apply Liberty Fix Pack 20.0.0.4 (use wlp-core-all-20.0.0.4.jar) by following the steps from this note.
OR

Upgrade to Log Analysis 1.3.6 Fix Pack 1

Note : As Liberty Fix Pack 20.0.0.4 contain fix mention in Security Bulletin: WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2020-4303, CVE-2020-4304).

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.5.3
ibm smartcloud analyticseq1.3.6.0

CPE	Name	Operator	Version
	ibm smartcloud analytics	eq	1.3.5.3
	ibm smartcloud analytics	eq	1.3.6.0

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

JSON

Related for 836D93514E7B1F842F71CBFB49A09A47448E5AE74332C0B80E6E63A1A12C0AAF