SB2022062008 - Clickjacking attack in IBM CICS TX Advanced
Published: June 20, 2022
Security Bulletin ID
SB2022062008
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Spoofing attack (CVE-ID: CVE-2021-39038)
The vulnerability allows a remote attacker to perform clickjacking attack.
The vulnerability exists due to incorrect processing of user-supplied data, when REST API discovery is configured through the WebSphere administrative console Web Container settings to enable the API Discovery service, or through IBM WebSphere Application Server Liberty features mpOpenAPI-1.0, mpOpenAPI-1.1, mpOpenAPI-2.0, apiDiscovery-1.0, openapi-3.0 or openapi-3.1. A remote attacker can perform clickjacking attack.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-39028-in-websphere-application-server-liberty-affects-ibm-cics-tx-advanced/"
- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-39028-in-websphere-application-server-liberty-affects-ibm-cics-tx-advanced/</a><br><a
- https://www.ibm.com/support/pages/node/6595095"
- https://www.ibm.com/support/pages/node/6595095</a><br><br><br></p>