Security Bulletin: IBM Security Information Queue does not prevent caching of sensitive pages

Summary

IBM Security Information Queue (ISIQ) allows web pages containing sensitive content to be cached by a browser and thus become vulnerable to attackers or malware. As of v1.0.3, the ISIQ web server instructs the browser to not cache the content.

Vulnerability Details

CVEID: CVE-2019-4218 DESCRIPTION: IBM Security Information Queue (ISIQ) allows web pages to be stored locally which can be read by another user on the system.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/159227&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Security Information Queue v1.0.0, v1.0.1, and v1.0.2

Remediation/Fixes

Download and install the latest IBM Security Information Queue images (tagged at 1.0.3 or greater) from the Docker Hub repository, “ibmcorp/security_information_queue”:

<https://cloud.docker.com/u/ibmcorp/repository/docker/ibmcorp/security_information_queue&gt;