IBM Support

SI62590 - OSP XSS VULNERABILITY IN THE HELP WEB APPLICATION

PTF ( Program Temporary Fixes ) Cover letter


Order this fix

Abstract

OSP XSS VULNERABILITY IN THE HELP WEB APPLICATION


Pre/Co-Requisite PTF / Fix List

REQ  LICENSED      PTF/FIX  LEVEL

TYPE PROGRAM  REL  NUMBER   MIN/MAX  OPTION
---- -------- ---  -------  -------  ------
PRE  5770SS1  710  SI50457   NONE     0003
PRE  5770SS1  710  SI50919   00/00    0000
CO   5770SS1  710  SI50753   NONE     0003
CO   5770SS1  710  SI43371   NONE     0003
CO   5770SS1  710  SI42046   NONE     0003



NOTICE:
-------
Application of this PTF may disable or render ineffective programs that
use system memory addresses not generated by the IBM translator,
including programs that circumvent control technology designed to limit
interactive capacity to purchased levels.  This PTF may be a prerequisite
for future PTFs.  By applying this PTF you authorize and agree to the
foregoing.

This PTF is subject to the terms of the license agreement which
accompanied, or was contained in, the Program for which you are obtaining
the PTF.  You are not authorized to install or use the PTF except as part
of a Program for which you have a valid Proof of Entitlement.

SUBJECT TO ANY WARRANTIES WHICH CAN NOT BE EXCLUDED OR EXCEPT AS EXPLICITLY
AGREED TO IN THE APPLICABLE LICENSE AGREEMENT OR AN APPLICABLE SUPPORT
AGREEMENT, IBM MAKES NO WARRANTIES OR CONDITIONS EITHER EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON INFRINGEMENT,
REGARDING THE PTF.

The applicable license agreement may have been provided to you in printed
form and/or may be viewed using the Work with Software Agreements (WRKSFWAGR)
CL command.





APAR Error Description / Circumvention

-----------------------------------------------
CVE-2008-7271, CVE-2010-4647 Multiple cross-site
scripting (XSS) vulnerabilities in the Help Contents
web application (i.e., the Help Server) in Eclipse IDE
allow remote attackers to inject arbitrary
web script or HTML. These issues can be tracked as
SPR# SAKL7QQG28 and JCHC89R945.

CORRECTION FOR APAR SE65725 :
-----------------------------
Integrated application server version
7.1 is susceptible to the vulnerability.
A patch to the runtime will fix the issue.

Alternatively, users can create a new
integrated application server or
integrated web services server and deploy
their applications in the newly created
server.

CIRCUMVENTION FOR APAR SE65725 :
--------------------------------
None.


Activation Instructions


None.




Special Instructions


End all integrated application servers and
integrated web services servers.


Default Instructions

THIS PTF CAN BE APPLIED IMMEDIATE OR DELAYED.



Supersedes

PTF/FIX NO(S).  APAR TITLE LINE
--------------  ------------------------------------------------------------
   SI54929      OSP IAS - LWI server updates
   SI52972      OSP integrated web application server udpates
   SI52357      OSP-LWI Decrease PTF apply time for integrated application s
   SI51846      OSP-BASEDIR-UNPRED ADMIN SERVER FAILS TO CREATE A LISTENER O
   SI51264      OSP integrated web application server updates
   SI51004      OSP integrated appliation server updates
   SI50945      OSP - integrated application server updates
   SI50945      OSP - WABC TOOL NOT FUNCTIONING PROPERLY W/CERTAIN NLS SETTI
   SI50789      OSP integrated web application server updates
   SI50577      OSP Updated integrated Web application server
   SI50357      OSP Updated integrated Web application server
   SI49011      OSP Updated integrated Web application server
   SI47947      OSP Updated integrated Web application server
   SI47368      OSP Updated integrated Web application server
   SI46341      OSP Updated integrated Web application server
   SI46138      OSP Updated integrated Web application server
   SI44878      OSP integrated Web application server updates
   SI43549      OSP Updated integrated Web application server
   SI43375      OSP Updated integrated Web application server
   SI43174      Integrity Problem
   SI41372      OSP Updated integrated Web application server
   SI40520      OSP integrated Web application server updates
   SI39337      OSP Updated integrated Web application server
   SI39080      OSP Updated integrated Web application server
   SI38488      OSP Updated integrated Web application server
   SI38410      OSP Updated integrated Web application server
   SI38082      OSP Updated integrated Web application server
   SI37783      OSP Updated integrated Web application server
   SI36914      OSP Updated integrated Web application server
   SI36696      OSP Integrated Web application server updates - phase 1

Summary Information

System.............................. i
Models..............................
Release............................. V7R1M0
Licensed Program............... 5770SS1
APAR Fixed.......................... SE65725
Superseded by:......................
Recompile........................... N
Library............................. QSYSDIR
MRI Feature ........................ NONE
Cum Level........................... NONE


System i Support

IBM disclaims all warranties, whether express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. By furnishing this document, IBM grants no licenses to any related patents or copyrights. Copyright © 1996,1997,1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017 IBM Corporation. Any trademarks and product or brand names referenced in this document are the property of their respective owners. Consult the Terms of use link for trademark information.

Document information

More support for: i family

Software version: V7R1M0

Operating system(s): OS/400

Reference #: SI62590

Modified date: 23 September 2016