Lucene search

K
ibmIBMA7104576B2DE13F9B6EC343C63B08339B6CF155927D9F32E397BC625107AE5A1
HistoryApr 08, 2022 - 3:41 p.m.

Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708)

2022-04-0815:41:23
www.ibm.com
14
ibm
websphere
liberty
spoofing
clickjacking
cve-2018-25031
cve-2021-46708

EPSS

0.004

Percentile

73.8%

Summary

IBM WebSphere Application Server Liberty for IBM i contains swagger-ui which is vulnerable to spoofing and clickjacking attacks as described in the vulnerability details section. IBM WebSphere Application Server Liberty for IBM i has addressed the vulnerabilities with a fix that upgrades the Liberty runtime to version 22.0.0.3.

Vulnerability Details

CVEID:CVE-2018-25031
**DESCRIPTION:**swagger-ui could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a specially-crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217346 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-46708
**DESCRIPTION:**npm swagger-ui-dist could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217359 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM i 7.4
IBM i 7.3
IBM i 7.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerabilities now.

The issues can be fixed by applying a PTF to IBM i. IBM i releases 7.4, 7.3, and 7.2 will be fixed.

The IBM i PTF numbers containing the fix for the CVEs :

IBM i Release 5770-SS1 PTF Number PTF Download Link
7.4 SI78971 <https://www.ibm.com/support/pages/ptf/SI78971&gt;
7.3 SI78972 <https://www.ibm.com/support/pages/ptf/SI78972&gt;
7.2 SI78973 <https://www.ibm.com/support/pages/ptf/SI78973&gt;

<https://www.ibm.com/support/fixcentral&gt;

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

EPSS

0.004

Percentile

73.8%

Related for A7104576B2DE13F9B6EC343C63B08339B6CF155927D9F32E397BC625107AE5A1