IBMCCFBBF17D9A696428033DD621D20DBA44A61CCB92DE126AC9B8A8CA1DDE1D0EBSecurity Bulletin: Steps to update DataQuant Wrokstation ans DataQuant WebSphere plugins.
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Summary
Query is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the HTML() function. A remote attacker could exploit this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Vulnerability Details
CVEID:CVE-2020-11023
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the option elements. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181350 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2020-11022
**DESCRIPTION:**jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the jQuery.htmlPrefilter method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181349 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| DataQuant for z/OS | 2.1 |
| DataQuant for Multiplatforms | 2.1 |
Remediation/Fixes
Please see “Workarounds.”
Workarounds and Mitigations
Steps for DataQuant Workstation:
- Close DataQuant.
- Navigate to the plugins directory present within DataQuant install directory.
Example: <DATAQUANT_HOME>/DataQuant For Workstation/plugins
- Locate the folder - com.ibm.bi.reporter_2.1.7.20170216 in the above Directory. Take a backup & remove the directory along with contents from this location.
- Download the attached zip file & extract it to a temporary location.
- Place the extracted folder in the directory <DATAQUANT_HOME>/DataQuant For Workstation/plugins.
- Once replaced, launch DataQuant.
Steps for DataQuant WebSphere:
- On a deployed product instance, stop the DataQuant WebSphere application.
- Locate the plugin folder - com.ibm.bi.reporter_2.1.7.20170216. Take a backup and remove it from the plugins directory.
Standard location → <IBM_WebSphere>\AppServer\profiles\AppSrv01\installedApps\ams-vm-qmf11Node01Cell\DataQuant for WebSphere 2.1.ear\DataQuantWebSphere21.war\WEB-INF\eclipse\plugins\
- Download the attached zip file & extract it to a temporary location.
- Place the extracted folder in the directory → <IBM_WebSphere>\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\DataQuant for WebSphere 2.1.ear\DataQuantWebSphere21.war\WEB-INF\eclipse\plugins\
- Optionally, to copy files for WebSphere application server on windows using XCOPY command run step 6
- Open command prompt with ‘Run As Administrator’ option and use the XCOPY command
For Example → Xcopy /E /I “<UserLocationForDownloadedZip>[com.ibm.bi](<https://urldefense.proofpoint.com/v2/url?u=http-3A__com.ibm.bi_&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=Muu9r-tqkBOHdLkP3t8VJ-mWzmQeZ7YtWxSOE6dZ05c&m=Fhc7JD4lLfloLFDfeht-yJmNLoS7JmUlfEEYVy_kel4&s=4RphKqDYs3Zjp_lq33M---09mN4fYmDqlh67UhY7GbE&e=>).reporter_2.1.8.20200927” “<IBM_WebSphere>\AppServer\profiles\AppSrv01\installedApps\MyMachineNode01Cell\DataQuant for WebSphere 2.1.ear\DataQuantWebSphere21.war\WEB-INF\eclipse\plugins[com.ibm.bi](<https://urldefense.proofpoint.com/v2/url?u=http-3A__com.ibm.bi_&d=DwMGaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=Muu9r-tqkBOHdLkP3t8VJ-mWzmQeZ7YtWxSOE6dZ05c&m=Fhc7JD4lLfloLFDfeht-yJmNLoS7JmUlfEEYVy_kel4&s=4RphKqDYs3Zjp_lq33M---09mN4fYmDqlh67UhY7GbE&e=>).reporter_2.1.8.20200927”
- Start the DataQuant application within WebSphere.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm dataquant for z/os | eq | 2.1 |
Related
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N