IBM Support

Security Bulletin: FileNet Workplace can be affected by the File Upload XSS vulnerability (CVE-2016-3054)

Security Bulletin


Summary

FileNet Workplace is susceptible to the File Upload XSS vulnerability

Vulnerability Details

Relevant CVE Information:
CVEID: CVE-2016-3054
DESCRIPTION:
IBM FileNet Workplace is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114753 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

FileNet Workplace 4.0.2

Remediation/Fixes

Refer to the Workarounds and Mitigations section.

Workarounds and Mitigations

There are 2 different implementations that can be used to address this vulnerability. You may chose to implement only one or to use both.
1) Check and remove malicious content before it gets added in to the P8 repository.
2) Check when malicious content is being viewed and not allow it to be executed.

The following are some suggestions on the various ways to prevent malicious files from being either uploaded and/or executed. These methods have not been implemented or tested by IBM. They are just examples. For detailed implementation plans, please consult IBM ECM Lab Services or an IBM ECM Business Partner.

To avoid malicious content being entered in to the P8 repository:
(1) Create a custom event action that's triggered on an AddDocument event that checks either the file type being added or calls a file scanner to validate the contents before the content is added.
(2) Configure a file scanner to scan the storage volume where content is being saved and have it send an alert when it finds malicious content.

To prevent content that contains JavaScript code from being executed when it is viewed by AE:
(1) Force JavaScript files to be viewed as text. An AE response filter could be implemented to change the MIME Type from JavaScript to Text.
(2) Configure your browser to not execute JavaScript files.

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

This vulnerability was reported to IBM by Roshan Thomas at secvibe.com

Change History

22 July 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNVNV","label":"FileNet Content Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Application Engine","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"4.0.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21987129