Security Bulletin: IBM InfoSphere DataStage exposes sensitive information during certain operations (CVE-2016-8982)

Summary

IBM InfoSphere DataStage exposes sensitive information during certain operations.

Vulnerability Details

CVEID: CVE-2016-8982 DESCRIPTION: IBM InfoSphere Information Server stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118919 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

The following product, running on all supported platforms, is affected:
IBM InfoSphere DataStage: versions 8.7, 9.1, and 11.3

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere DataStage| 11.3| JR50463| --Apply IBM InfoSphere Information Server version _11.3.1.1 _or later
InfoSphere DataStage| 9.1| JR50463| --Apply IBM InfoSphere Information Server version 9.1.2.0
--Apply IBM InfoSphere DataStage Connectivity Security patch
InfoSphere DataStage| 8.7| JR50463| --Contact IBM Customer Support

Note:
For IBM InfoSphere Information Server version 8.7, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Contact Technical Support:

In the United States and Canada dial 1-800-IBM-SERV
View the support contacts for other countries outside of the United States.
Electronically open a Service Request with Information Server Technical Support.

Workarounds and Mitigations

None