Security Bulletin: IBM InfoSphere Information Server is vulnerable to Cross-Frame Scripting issue (CVE-2016-5984)

Summary

IBM InfoSphere Information Server is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection.

Vulnerability Details

CVEID: CVE-2016-5984 DESCRIPTION: IBM InfoSphere Information Server is vulnerable to cross-frame scripting, caused by insufficient HTML iframe protection. A remote attacker could exploit this vulnerability using a specially-crafted URL to navigate to a web page the attacker controls. An attacker could use this vulnerability to conduct clickjacking or other client-side browser attacks.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116554 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

The following products, running on all supported platforms, are affected:
IBM Information Server Framework: versions 8.7, 9.1, 11.3, and 11.5
IBM InfoSphere Information Server on Cloud: version 11.5

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
—|—|—|—
InfoSphere Information Server, Information Server on Cloud| 11.5| JR56565| --Apply IBM InfoSphere Information Server version 11.5.0.1
--Apply IBM InfoSphere Information Server Framework Security patch
InfoSphere Information Server| 11.3| JR56565| --Apply IBM InfoSphere Information Server version _11.3.1.2 _
--Apply IBM InfoSphere Information Server Framework Security patch
InfoSphere Information Server| 9.1| JR56565| --Apply IBM InfoSphere Information Server version 9.1.2.0
--Apply IBM InfoSphere Information Server Framework Security patch
InfoSphere Information Server| 8.7| JR56565| --Apply IBM InfoSphere Information Server version 8.7 Fix Pack 2
--Apply IBM InfoSphere Information Server Framework Security Patch

Workarounds and Mitigations

None