Security Bulletin: Missing Secure HTTP Headers

Summary

During internal penetration testing we identified that the IBM i2 Enterprise Insight Analysis application could be made more secure with the addition of some HTTP headers.

Vulnerability Details

CVEID: CVE-2018-1525

DESCRIPTION: IBM i2 Intelligent Analyis Platform could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/142117&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1504 DESCRIPTION: IBM i2 Intelligent Analyis Platform could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141340&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1505 DESCRIPTION: IBM i2 Intelligent Analyis Platform allows web pages to be stored locally which can be read by another user on the system.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141413&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM i2 Enterprise Insight Analysis 2.1.8

Remediation/Fixes

All of the discussed headers have been added to the 2.2.0 release. If the vulnerabilities affect you, it is recommended that you upgrade to a later release.