Security Bulletin: IBM Security Information Queue web application is vulnerable to clickjacking attack

Summary

The IBM Security Information Queue (ISIQ) web application is vulnerable to a clickjacking attack in which an untrusted page could get embedded into another frame or object. As of v1.0.3, the ISIQ web server disallows browsers from embedding content.

Vulnerability Details

CVEID: CVE-2019-4217 DESCRIPTION: IBM Security Information Queue (ISIQ) could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim’s click actions and possibly launch further attacks against the victim.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159226&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images (tagged at 1.0.3 or greater) from the Docker Hub repository, “ibmcorp/security_information_queue”:

<https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/security_information_queue&gt;