Direct links to fixes
APAR status
Closed as program error.
Error description
M-001 Application Pages Do Not Break Out of 3rd Party HTMLFrames Implement a Frame Killer L3 Comment: SSP Engineering : Investigating (affects SSP CM and SEAS)
Local fix
STRRTC - 367009 DE/RJ Circumvention: Update to latest SSP Build 3.4.1.7
Problem summary
Security scan revealed that Sterling Secure Proxy Configuration Manager pages permit rendering within third party HTML frames. An internal attacker could potentially control elements of the framed pages and obtain unauthorized access to data.
Problem conclusion
Implemented frame options within the SSP CM web pages to keep third party applications from rendering the frames.
Temporary fix
Implemented "frame killer" attributes in the CM screens to prevent hijacking.
Comments
Fix included in SSP3417.
APAR Information
APAR number
IC90714
Reported component name
STR SECURE PROX
Reported component ID
5725D0300
Reported release
341
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2013-03-08
Closed date
2013-05-01
Last modified date
2013-05-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR SECURE PROX
Fixed component ID
5725D0300
Applicable component levels
R341 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS6PNW","label":"IBM Sterling Secure Proxy"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"341","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
01 May 2013