Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.2326
Security Bulletin: FileNet Workplace XT and FileNet Workplace (Application
Engine), can be affected by Cross Site Scripting
vulnerabilities (CVE-2016-5981)
5 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM FileNet Workplace
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Cross-site Scripting -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5981
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21990899
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: FileNet Workplace XT and FileNet Workplace (Application
Engine), can be affected by Cross Site Scripting vulnerabilities
(CVE-2016-5981)
Security Bulletin
Document information
More support for:
FileNet Content Manager
Workplace XT
Software version:
1.1.5
Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows
Reference #:
1990899
Modified date:
2016-10-03
Summary
FileNet Workplace XT and FileNet Workplace (Application Engine) are
susceptible to Cross Site Scripting vulnerabilities.
Vulnerability Details
Relevant CVE Information:
CVEID:
CVE-2016-5981
DESCRIPTION:
IBM FileNet Workplace XT and FileNet Workplace (Application Engine) are
vulnerable to cross-site scripting. This vulnerability allows users to embed
arbitrary JavaScript code in the Web UI thus altering the intended
functionality potentially leading to credentials disclosure within a trusted
session.
CVSS Base Score: 5.4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/116466
for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
FileNet Workplace XT 1.1.5
FileNet Workplace 4.0.2
Remediation/Fixes
Refer to the Workarounds and Mitigations section below
Workarounds and Mitigations
Prerequisite
- - For FileNet Workplace XT, ensure that you are on
1.1.5.2-WPXT-LA011 or higher.
- - For FileNet Workplace, ensure that you are on
4.0.2.14-P8AE-IF001 or higher.
Procedure
- - Modify the following two sections of the security filter XML file.
1) RegExpSecurityFilter filter
The RegExpSecurityFilter filter is a data type filter where the request
parameter value is validated by its data type. The filter has two main
sections called expressions and parameters. The expressions section defines
the list of supported data types and their regular expressions. The regular
expression is used to validate the request parameter value. Some of the
predefined data types are Boolean, ipAddress, ipV6Address, number and so on.
For a numeric data type, the expression definition is:
<object key="expression">
<setting key="name"> number </setting>
<setting key="regexp"> ^-?\d+$ </setting>
</object>
The parameters section contains the list of request parameters and the
corresponding data types. For a numeric data type parameter, the parameter
mapping definition is:
<object key="parameter">
<setting key="name">detailedPageSize</setting>
<setting key="expression">number</setting>
</object>
Based on these two definitions, the detailedPageSize parameter value will be
validated for numeric value only. Any other non-numeric value will be
rejected by the filter.
The customer can add new expression definitions and new parameter mappings
needed to address their security requirements.
2) ScriptSecurityFilter filter
The ScriptSecurityFilter filter is a black list filter that evaluates the
request parameter value for invalid script values. The filter will reject an
incoming request if an invalid script value is found. Similar to the previous
filter, the ScriptSecurityFilter has two main sections: expressions and
parameter. The expressions section contains a list of regular expressions
that is used to identify invalid scripts. The customer can modify this
regular expression list to define any new expressions needed to address the
security requirements.
<array key="expressions">
<value><\s*img\s*</value>
<value><\s*script\s*></value>
<value></\s*script\s*></value>
<value>\s*javascript\s*:|(^|\s+)on[a-zA-Z]*\s*=</value>
<value>\s*\'\s*[\+;\-]</value>
<value>\s*\"\s*[\+;\-]</value>
<value>\s+STYLE\s*=</value>
</array
The parameters section contains the list of request parameters that will be
checked against the expressions entries for invalid scripts. The parameter
section supports an includes list and an excludes list. All parameters in the
includes will be tested for invalid scripts.
<array key="includes">
<value>eventTarget</value>
<value>eventName</value>
<value>dummy</value>
<value>browserTime1</value>
<value>browserTime2</value>
<value>browserOffset1</value>
<value>browserOffset2</value>
..
</array>
For more information:
Please refer to the following techdoc for more details on addressing Cross
Site Scripting vulnerabilities within FileNet Workplace XT and FileNet
Workplace (Application Engine):
http://www-01.ibm.com/support/docview.wss?uid=swg27022201
Get Notified about Future Security Bulletins
Subscribe to
My Notifications
to be notified of important product support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
This vulnerability was reported to IBM by Roshan Thomas at secvibe.com
Change History
7 Oct 2016: Original version published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV/SSL4x+lLeg9Ub1AQhVkBAApkjdbSxRxIjOT88ER+BMZ+hm70vniSAJ
oBROm8+CsLeaTp8AxTOk4l7XHZ6CmujUo2pmE8iI8u6tMav2vwkAju/eOo+XDydO
ycLAiRB2GRedpUiuar0PVrokddVtXLyP7Tq5hH6fPMXCtddk3nzOAUa9oxZW4/gu
+3CXMjv+jHKqzUt5o51it/TURFsuTPE7cx4D4wXFs/Y9ixpfpLvvJPKxR50YdDAV
uMG/8K8ZTUinyfBRz7y233WAnhgo8NTtm8cC73EqKNAr9O6MYvrV4JCzcFgHppfu
OWK0BovYR1E21rmbnS4Bz2obEMxyGf2Vw4ae7pcTQrL+hYP8PdQVw1dw7vBYrHKl
R6KyBNCeB7yVCMaGINt+erNfGFydHYQQuceMPGnnTwE+5auPxElaG+uPnQk5FziM
L4opK2ZvwQLpyvaOi/3rqVdZPKO/g9TkEjDsHagRseYaf18JTrEwidw+iGILCu1M
46I/IcurjUr6taxN1syWXF2crNVFwZR9twIg8A2kgPlMB2vEk4NMDe4x52iw/q7N
f6DGicoBjpOTLecZIKz2HWn3oogzR43DZZd8caYpo7G6G5Fq0fRgGOSQfRMG7MKK
5Zg/WIVgHhGDSrgv+Zvf6HsDLBUDqYsgUB4SzxH0Ty3UPfGjd1QkVNhD62wWbDPZ
moei+QTajWo=
=4fX9
-----END PGP SIGNATURE-----