Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)

Summary

There is a potential cross-site scripting vulnerability in the Admin Console of WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2017-1121**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121173 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Version 9.0
• Version 8.5 and Version 8.5.5
• Version 8.0
• Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI73367 for each named product as soon as practical. **
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition:

For V9.0.0.0 through 9.0.0.2:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73367
--OR–
· Apply Fix Pack 9.0.0.3 or later. **

For V8.5.0.0 through 8.5.5.11:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73367
--OR–
· Apply Fix Pack 8.5.5.12 or later. **

For V8.0.0.0 through 8.0.0.13:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73367
--OR–
· Apply Fix Pack 8.0.0.14 or later. **

For V7.0.0.0 through 7.0.0.41:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73367
--OR–
· Apply Fix Pack 7.0.0.43 or later.