This Security Bulletin addresses 3 security vulnerabilities CVE-2014-0944, CVE-2014-0945 and CVE-2014-0946 in IBM Operational Decision Manager.
All issue are related to the RES Console provided in Rule Execution Server.
DESCRIPTION:
IBM Operational Decision Management is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92559> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
DESCRIPTION:
IBM Operational Decision Management is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92562> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
**** DESCRIPTION:
IBM Operational Decision Management would allow an attacker to obtain sensitive information from the cache due to lack of cache control directives.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92573> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Version
|
Fix name
|
Fix Id
—|—|—
v7.5| Fix pack 3 Interim Fix 37| 7.5.0.3-WS-ODM_DS-IF037
v8.0| Mod pack 1 Fix pack 2 | 8.0.1-WS-ODM-<OS>-FP002
v8.5| Mod pack 1 Interim Fix 26| 8.5.1.0-WS-ODM_DS-IF026
none known. Apply fixes