IBM Support

PM97439: The eXtreme Scale monitoring console might be subject to several security vulnerabilities.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Three web security vulnerabilities were identified in the
    WebSphere eXtreme Scale monitoring console:
    
    -- Cross-site scripting vulnerability
    -- Logoff processing weakness
    -- A phishing attack vulnerability
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  Users of IBM WebSphere eXtreme Scale        *
    *                  V7.1.1, V8.5, and V8.6                      *
    ****************************************************************
    * PROBLEM DESCRIPTION: WebSphere eXtreme Scale monitoring      *
    *                      console security vulnerabilities        *
    *                      exist.                                  *
    ****************************************************************
    * RECOMMENDATION:  Install the interim fix containing this     *
    *                  APAR.                                       *
    ****************************************************************
    VULNERABILITY DETAILS:
    CVEID: CVE-2013-5390
    DESCRIPTION:
    A cross site scripting vulnerability is present in the WebSphere
    eXtreme Scale monitoring console.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87126
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    CVEID: CVE-2013-5393
    DESCRIPTION:
    The WebSphere eXtreme Scale monitoring console has a
    vulnerability because of a logoff handling weakness.
    CVSS Base Score: 4.3
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87153
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
    CVEID: CVE-2013-5394
    DESCRIPTION:
    The WebSphere eXtreme Scale monitoring console is vulnerable to
    a form of phishing attack.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87154
    for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    

Problem conclusion

  • All of the vulnerabilities were corrected. This APAR is
    available in the latest builds of WebSphere eXtreme Scale
    V7.1.1 Fix Pack 1, V8.5. Fix Pack 3, and V8.6 Fix Pack 3.
    

Temporary fix

Comments

APAR Information

  • APAR number

    PM97439

  • Reported component name

    WS EXTREME SCAL

  • Reported component ID

    5724X6702

  • Reported release

    860

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-09-19

  • Closed date

    2013-10-11

  • Last modified date

    2013-10-11

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WS EXTREME SCAL

  • Fixed component ID

    5724X6702

Applicable component levels

  • R711 PSY

       UP

  • R850 PSY

       UP

  • R860 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"860","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
11 October 2013