Security Bulletin: Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console

Summary

Client-side HTTP Parameter Pollution in WAS Intelligent Management Admin console. TWAS pen testing uncovered an issue with the admin console that allows Client-side HTTP Parameter Pollution. The user must be navigating the affected resources. Client-side HTTP parameter pollution (HPP) vulnerabilities arise when an application embeds user input in URLs in an unsafe manner. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify URLs within the response by inserting additional query string parameters and sometimes overriding existing ones. This may result in links and forms having unexpected side effect. In this case it is possible to inject and execute arbitrary JavaScript but it does require that the user click the link for this reason Coalfire has decreased severity from High to Low.Affects: WAS VE 7.0, WAS ND 8.5, 9.0 See bulletin for fixpack and ifix details.

Vulnerability Details

CVEID:CVE-2019-4271
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 Admin console is vulnerable to a Client-side HTTP parameter pollution vulnerability. IBM X-Force ID: 160243.
CVSS Base score: 3.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160243 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

For V9.0.0.0 through 9.0.0.11:Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH12533 --OR–· Apply WebSphere Fix Pack 9.0.5.0 or later.

Workarounds and Mitigations

For V9.0.0.0 through 9.0.0.11:Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH12533 --OR–· Apply WebSphere Fix Pack 9.0.5.0 or later.