APAR status
Closed as program error.
Error description
Three web security vulnerabilities were identified in the WebSphere eXtreme Scale monitoring console: -- Cross-site scripting vulnerability -- Logoff processing weakness -- A phishing attack vulnerability
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: Users of IBM WebSphere eXtreme Scale * * V7.1.1, V8.5, and V8.6 * **************************************************************** * PROBLEM DESCRIPTION: WebSphere eXtreme Scale monitoring * * console security vulnerabilities * * exist. * **************************************************************** * RECOMMENDATION: Install the interim fix containing this * * APAR. * **************************************************************** VULNERABILITY DETAILS: CVEID: CVE-2013-5390 DESCRIPTION: A cross site scripting vulnerability is present in the WebSphere eXtreme Scale monitoring console. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87126 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVEID: CVE-2013-5393 DESCRIPTION: The WebSphere eXtreme Scale monitoring console has a vulnerability because of a logoff handling weakness. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87153 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) CVEID: CVE-2013-5394 DESCRIPTION: The WebSphere eXtreme Scale monitoring console is vulnerable to a form of phishing attack. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87154 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Problem conclusion
All of the vulnerabilities were corrected. This APAR is available in the latest builds of WebSphere eXtreme Scale V7.1.1 Fix Pack 1, V8.5. Fix Pack 3, and V8.6 Fix Pack 3.
Temporary fix
Comments
APAR Information
APAR number
PM97439
Reported component name
WS EXTREME SCAL
Reported component ID
5724X6702
Reported release
860
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-09-19
Closed date
2013-10-11
Last modified date
2013-10-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WS EXTREME SCAL
Fixed component ID
5724X6702
Applicable component levels
R711 PSY
UP
R850 PSY
UP
R860 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"860","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 October 2013