IBM Support

PI64790:Cross-site scripting vulnerability in OpenID Connect client

Download


Abstract

Cross-site scripting vulnerability in Liberty OpenID Connect client

Download Description

PI64790 resolves the following problem:

ERROR DESCRIPTION:
Cross-site scripting vulnerability in Liberty OpenID Connect client

LOCAL FIX:

PROBLEM SUMMARY:
IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

PROBLEM CONCLUSION:
Data received by Liberty OpenID Connect clients is now appropriately sanitized before being used in order to protect against cross-site scripting attacks.

Prerequisites

None

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"Liberty 8.5.5 IM Readme","INLang":"US English","INSize":"2638","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI64790/8.5.5.9/readme.txt"},{"INLabel":"Liberty 8.5.5.9 Archive Readme","INLang":"US English","INSize":"2176","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI64790/8.5.5.9/readme.txt"},{"INLabel":"Liberty 16.0.0.2 Archive Readme","INLang":"US English","INSize":"2184","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI64790/16.0.0.2/readme.txt"},{"INLabel":"Liberty 16.0.0.2 IM Readme","INLang":"US English","INSize":"2472","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI64790/16.0.0.2/readme.txt"},{"INLabel":"Liberty 8.5.5.8 Archive Readme","INLang":"US English","INSize":"2203","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI64790/8.5.5.8/readme.txt"}]
On
[{"DNLabel":"8558-wlp-archive-IFPI64790","DNDate":"09-07-2016","DNLang":"US English","DNSize":"3916657","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8558-wlp-archive-IFPI64790&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8559-wlp-archive-IFPI64790","DNDate":"09-07-2016","DNLang":"US English","DNSize":"3777618","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8559-wlp-archive-IFPI64790&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"16002-wlp-archive-IFPI64790","DNDate":"16-9-7","DNLang":"US English","DNSize":"1902800","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Liberty&release=All&platform=All&function=fixId&fixids=16002-wlp-archive-IFPI64790&includeSupersedes=0 ","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.8-WS-WLP-IFPI64790","DNDate":"09-07-2016","DNLang":"US English","DNSize":"1307180","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.8-WS-WLP-IFPI64790&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.9-WS-WLP-IFPI64790","DNDate":"09-07-2016","DNLang":"US English","DNSize":"1093234","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.9-WS-WLP-IFPI64790&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"16.0.0.2-WS-WLP-IFPI64790","DNDate":"16-9-7","DNLang":"US English","DNSize":"1974142","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%2FWebSphere&product=ibm/WebSphere/WebSphere+Liberty&release=All&platform=All&function=fixId&fixids=16.0.0.2-WS-WLP-IFPI64790&includeSupersedes=0 ","DNURL_FTP":" ","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"16.0.0.2;8.5.5.8;8.5.5.9","Edition":"Liberty","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PI49272;PI57265;PI58003;PI58819;PI62735;PI64790

Document Information

Modified date:
15 June 2018

UID

swg24042736

Page Feedback