IBM Support

Security Bulletin: FileNet Workplace XT and FileNet Workplace (Application Engine), can be affected by Cross Site Scripting vulnerabilities (CVE-2016-5981)

Security Bulletin


Summary

FileNet Workplace XT and FileNet Workplace (Application Engine) are susceptible to Cross Site Scripting vulnerabilities.

Vulnerability Details

Relevant CVE Information:

CVEID: CVE-2016-5981
DESCRIPTION:
IBM FileNet Workplace XT and FileNet Workplace (Application Engine) are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116466 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

FileNet Workplace XT 1.1.5

FileNet Workplace 4.0.2

Remediation/Fixes

Refer to the Workarounds and Mitigations section below

Workarounds and Mitigations

Prerequisite
- For FileNet Workplace XT, ensure that you are on 1.1.5.2-WPXT-LA011 or higher.
- For FileNet Workplace, ensure that you are on 4.0.2.14-P8AE-IF001 or higher.

Procedure
- Modify the following two sections of the security filter XML file.

1) RegExpSecurityFilter filter

The “RegExpSecurityFilter” filter is a data type filter where the request parameter value is validated by its data type. The filter has two main sections called “expressions” and “parameters”. The “expressions” section defines the list of supported data types and their regular expressions. The regular expression is used to validate the request parameter value. Some of the predefined data types are Boolean, ipAddress, ipV6Address, number and so on. For a numeric data type, the expression definition is:

<object key="expression">
<setting key="name"> number </setting>
<setting key="regexp"> ^-?\d+$ </setting>
</object>

The “parameters” section contains the list of request parameters and the corresponding data types. For a numeric data type parameter, the parameter mapping definition is:

<object key="parameter">
<setting key="name">detailedPageSize</setting>
<setting key="expression">number</setting>
</object>

Based on these two definitions, the “detailedPageSize” parameter value will be validated for numeric value only. Any other non-numeric value will be rejected by the filter.

The customer can add new “expression” definitions and new “parameter” mappings needed to address their security requirements.


2) ScriptSecurityFilter filter

The “ScriptSecurityFilter” filter is a blocklist filter that evaluates the request parameter value for invalid script values. The filter will reject an incoming request if an invalid script value is found. Similar to the previous filter, the “ScriptSecurityFilter” has two main sections: “expressions” and “parameter”. The “expressions” section contains a list of regular expressions that is used to identify invalid scripts. The customer can modify this regular expression list to define any new expressions needed to address the security requirements.

<array key="expressions">
<value>&lt;\s*img\s*</value>
<value>&lt;\s*script\s*&gt;</value>
<value>&lt;/\s*script\s*&gt;</value>
<value>\s*javascript\s*:|(^|\s+)on[a-zA-Z]*\s*=</value>
<value>\s*\'\s*[\+;\-]</value>
<value>\s*\"\s*[\+;\-]</value>
<value>\s+STYLE\s*=</value>
</array

The “parameters” section contains the list of request parameters that will be checked against the “expressions” entries for invalid scripts. The “parameter” section supports an “includes” list and an “excludes” list. All parameters in the “includes” will be tested for invalid scripts.

<array key="includes">
<value>eventTarget</value>
<value>eventName</value>
<value>dummy</value>
<value>browserTime1</value>
<value>browserTime2</value>
<value>browserOffset1</value>
<value>browserOffset2</value>
…..
</array>


For more information:
Please refer to the following techdoc for more details on addressing Cross Site Scripting vulnerabilities within FileNet Workplace XT and FileNet Workplace (Application Engine): http://www-01.ibm.com/support/docview.wss?uid=swg27022201

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

This vulnerability was reported to IBM by Roshan Thomas at secvibe.com

Change History

7 Oct 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Workplace XT","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"1.1.5","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Application Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"4.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21990899