IBM Support

Security Bulletin: Cross-site scripting vulnerability in Installation Verification Tool of WebSphere Application Server (CVE-2018-1643)

Security Bulletin


Summary

There is a potential cross-site scripting vulnerability with the Installation Verification Tool of IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2018-1643
DESCRIPTION: The Installation Verification Tool of IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

  • Version 9.0
  • Version 8.5
  • Version 8.0

Remediation/Fixes

On a standalone application server profile, the “ivtApp” application is used by the Installation Verification Tool (IVT). The IVT verifies that the installation of the product and the application server is successful. On a standalone application server, the IVT queries servlets from the “ivtApp” application.

The IVT is invoked manually by a user either through the firststeps console or through the ivt.bat/sh script.

For more information regarding the Installation Verification tool, see the knowledge center document "Using the installation verification tool" 

The application is also available as an installable Enterprise Application aRchive (EAR) file which is located at <WAS_HOME>/installableApps/ivtApp.ear.

The fix delivers updates to the ivtApp.ear under the installableApps directory as well as the standalone application profile template which is used for profile creation so that new profiles are deployed with the updated “ivtApp”.

However, it will require manual steps from an administrator/user to update a profile/server-configuration that has already had the ivtApp.ear deployed either from profile creation or by an administrator/user. This is due to the requirement of an administrator/user to administer changes to the profile/server-configuration.

If there is no need for the ivtApp then it may be simply uninstalled.

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI98558 for each named product as soon as practical. 

NOTE:  Manual steps may need to be taken after applying the Interim Fix depending on your environment.  See below for the steps.

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:
For V9.0.0.0 through 9.0.0.8:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI98558
--OR--
· Apply Fix Pack 9.0.0.9 or later.

For V8.5.0.0 through 8.5.5.13:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI98558
--OR--
· Apply Fix Pack 8.5.5.14 or later.

For V8.0.0.0 through 8.0.0.15:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI98558

WebSphere Application Server V8 is no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product.

MANUAL STEPS:

If there is no need for the ivtApp then it may be simply uninstalled.

If there requires further need for the ivtApp then it should be updated or uninstalled and reinstalled with the updated ivtApp.ear from <WAS_HOME>/installableApps/ivtApp.ear

If it is a standalone application server environment. Please administer your changes through the standalone application server(s).

If it is a Network Deployment environment. Please administer your changes through the deployment manager server(s).

Please review the notes at the end of this article before proceeding for more information.

Using the administrative console through the browser

Using the AdminApp command through the wsadmin tool        

      

Note: When the ivtApp.ear is deployed as part of profile creation, the application is named “ivtApp”. If an administrator/user has deployed the application afterwards (i.e in a federated configuration) using the default application name, the application can be named “IVT Application”. Alternatively, an administrator/user could have deployed the application with an application name of their choice.

Note: When a standalone application server (e.g. AppSrv01) that was created with the “ivtApp” federates its’ node to a Deployment Manager, the configuration with the “ivtApp” is not migrated into the new federated configuration. However, the old configuration is saved and when the node is unfederated the original configuration is restored which will contain the “ivtApp” that was deployed from profile creation.

Get Notified about Future Security Bulletins

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Mingxuan Song

Change History

12 November 2018: original document published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: WebSphere Application Server

Software version: 7.0, 8.0, 8.5, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Advanced, Base, Developer, Enterprise, Express, Network Deployment, Single Server

Reference #: 0716857

Modified date: 12 November 2018


Translate this page: