APAR status
Closed as program error.
Error description
There is an issue on DataPower where a character string in Javascript was causing an alert to be thrown and flagging as a vulnerability warning for injection. Example: When characters "`;" or "')" were being sent it was causing the "injection" warning to be flagged on the parameters and a resulting error of " ');alert(55454" was being logged.
Local fix
Problem summary
DataPower had XSS vulnerability.
Problem conclusion
Fix is available in 2018.4.1.10 For a list of the latest fix packs available, please see: http://www-01.ibm.com/support/docview.wss?uid=swg21237631
Temporary fix
Comments
APAR Information
APAR number
IT31718
Reported component name
DATAPOWER
Reported component ID
DP1234567
Reported release
18X
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-01-31
Closed date
2020-02-20
Last modified date
2020-02-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
DATAPOWER
Fixed component ID
DP1234567
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"18X","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 February 2022