IBMCBB1C4758B9B2807F66E76EAE26118699B0898349CA41906E4D90E73328D7B5ESecurity Bulletin: Log Analysis is vulnerable to a client side scripting attack due to missing HTTPOnly and Secure attribute in the cookie
0.001 Low
EPSS
Percentile
24.2%
Summary
A remote attacker is able to obtain sensitive information cause by the failure to set the HttpOnly and Secure attribute in the cookie. This allow attacker to intercept the transmission and obtain information from the cookie in clear text
Vulnerability Details
CVEID:CVE-2019-4214
DESCRIPTION:
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159185 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Log Analysis | 1.3.1 |
| Log Analysis | 1.3.2 |
| Log Analysis | 1.3.3 |
| Log Analysis | 1.3.4 |
| Log Analysis | 1.3.5 |
Remediation/Fixes
| Principal Product and Version(s) | Fix details |
|---|---|
| IBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5 | Upgrade existing version to Log Analysis 1.3.6 |
You can download the respective platform from Passport Advantage using part number
Part No Part Name
CC3VNEN : IBM Operations Analytics Log Analysis Managed - Device based v1.3.6 Linux 64 bit ALL editions English
CC3VPEN : IBM Operations Analytics Log Analysis Managed - Device based v1.3.6 zLinux 64 bit ALL editions English
CC3VQEN : IBM Operations Analytics Log Analysis Managed - Device based v1.3.6 Power8 ppc64le ALL editions English
Workarounds and Mitigations
None
Related
0.001 Low
EPSS
Percentile
24.2%