Security Bulletin: Cross-site scripting vulnerability in Admin Console for WebSphere Application Server (CVE-2017-1380)

Summary

There is a potential cross-site scripting vulnerability in the Admin Console for WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2017-1380**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional:

• Version 9.0
• Version 8.5
• Version 8.0
• Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI82078 for each named product as soon as practical.**

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:** **
For V9.0.0.0 through 9.0.0.4:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI82078
--OR–
· Apply Fix Pack 9.0.0.5 or later.**

For V8.5.0.0 through 8.5.5.11:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI82078
--OR–
· Apply Fix Pack 8.5.5.12 or later.

For V8.0.0.0 through 8.0.0.13:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI82078

--OR–
· Apply Fix Pack 8.0.0.14 or later.

For V7.0.0.0 through 7.0.0.43:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI82078

--OR–
· Apply Fix Pack 7.0.0.45 or later.