IBMDD149B20AE2DEAD9E796475B097FF81A653CAF7AD80306E4E98B43EF35190FE3Security Bulletin: IBM InfoSphere Information Server is vulnerable to insecure third party domain access (CVE-2021-29875)
0.001 Low
EPSS
Percentile
49.7%
Summary
An insecure third party domain access vulnerability in IBM InfoSphere Information Server was addressed.
Vulnerability Details
CVEID:CVE-2021-29875
**DESCRIPTION:**IBM InfoSphere Information Server could allow an attacker to obtain sensitive information due to a insecure third party domain access vulnerability.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| InfoSphere Information Server | 11.7 |
Remediation/Fixes
| Product | VRMF | APAR | Remediation/First Fix |
|---|---|---|---|
| InfoSphere Information Server, Information Server on Cloud | 11.7 | JR63905 | --Apply IBM InfoSphere Information Server version 11.7.1.0 |
| --Apply IBM InfoSphere Information Server version 11.7.1.3 |
--WebSphere Application Server (WAS) cookies need to be updated as indicated.
Steps to update WebSphere Application Server (WAS) cookies
1. LTPAToken2 cookies
This applies to WAS Network Deployment and WAS Liberty installations.
LTPAToken2 cookies are used to authenticate with web applications across multiple WebSphere Application Servers. To support Single Sign On (SSO), it is essential that they are visible from everywhere. Hence, they are set to the root path and there is no option to alter the path name.
For information on SSO to minimize web user authentications, see
<https://www.ibm.com/docs/en/was/9.0.5?topic=users-implementing-single-sign-minimize-web-user-authentications>
Note that form login mechanisms for web applications require that SSO is enabled. If needed, use this topic to configure single sign-on for the first time.
The names of the LTPAToken and LTPAToken2 cookies can be changed on the servers to get the same behavior as setting the cookie path. This results in the cookies not being visible from the servers where the cookie name was not changed.
2. JSESSIONID cookie
For WAS Network Deployment:
See <https://www.ibm.com/support/pages/setting-httponly-and-secure-flags-websphere-application-server-cookies>
In WAS Administration console, navigate to
servers > server types > WebSphere application servers > server1 > container settings > session management > Enable cookies > Cookie path > set cookie path
Set the cookie path to /ibm/iis
For WAS Liberty:
The server.xml file in <IIS_INSTALL_LOCATION>/wlp/usr/servers/iis needs to be updated.
Change
<httpSession InvalidateOnUnauthorizedSessionRequestException=“true” allowOverflow=“true” cookieHttpOnly=“true” cookieName=“IIS-JSESSIONID” cookieSecure=“true” cookiesEnabled=“true” invalidationTimeout=“1800” maxInMemorySessionCount=“1000” securityIntegrationEnabled=“true”/>
to
<httpSession InvalidateOnUnauthorizedSessionRequestException=“true” allowOverflow=“true” cookieHttpOnly=“true” cookieName=“IIS-JSESSIONID” cookieSecure=“true” cookiesEnabled=“true” cookiePath=“/ibm/iis” invalidationTimeout=“1800” maxInMemorySessionCount=“1000” securityIntegrationEnabled=“true”/>
Restart Liberty WebSphere.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| infosphere information server | eq | 11.7 |
Related
0.001 Low
EPSS
Percentile
49.7%