Security Bulletin: Vulnerability in URL Redirection affects IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x (CVE-2016-8961)

Summary

IBM License Metric Tool v9.x and IBM BigFix Inventory v9.x accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. This simplifies phishing
attacks.

Vulnerability Details

CVEID: CVE-2016-8961**
DESCRIPTION:** IBM BigFix Inventory v9.x could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118850 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

IBM License Metric Tool v9.x IBM BigFix Inventory v9.x

Remediation/Fixes

Upgrade to version 9.2.6 or later using the following procedure:

• In IBM Endpoint Manager console, expand IBM BigFix InventoryorIBM License Reporting (ILMT) node underSites node in the tree panel.
• Click Fixlets and Tasks node.Fixlets and Tasks panel will be displayed on the right.
• In the Fixlets and Tasks panel locate _Upgrade to the newest version of IBM BigFix Inventory 9.x _or Upgrade to the newest version IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.

Workarounds and Mitigations

None