CVE-2021-29668 : Security Advisory and Response

IBM Jazz Foundation and IBM Engineering products have been identified as susceptible to cross-site scripting vulnerabilities. This loophole enables users to inject arbitrary JavaScript code into the Web UI, potentially leading to unauthorized access and disclosure of sensitive information within secure sessions.

Understanding CVE-2021-29668

This CVE discloses a critical cross-site scripting vulnerability affecting multiple IBM products.

What is CVE-2021-29668?

IBM Engineering products, including Engineering Test Management, Rational Quality Manager, Rational Rhapsody Model Manager, Rational DOORS Next Generation, Engineering Lifecycle Optimization, Rational Engineering Lifecycle Manager, and Rational Collaborative Lifecycle Management, are at risk of a cross-site scripting vulnerability. This flaw allows threat actors to tamper with the intended functionality by injecting malicious JavaScript code through the Web UI, potentially compromising sensitive data.

The Impact of CVE-2021-29668

The vulnerability poses a medium-severity threat, with a CVSS v3.0 base score of 5.4. Attackers can exploit this vulnerability when user interaction is required, leading to potential credential disclosure within trusted sessions.

Technical Details of CVE-2021-29668

This section provides a deeper insight into the vulnerability.

Vulnerability Description

The vulnerability allows malicious users to execute arbitrary JavaScript code in the Web UI, compromising the integrity of secure sessions within IBM Engineering products.

Affected Systems and Versions

IBM products impacted include, but are not limited to, Engineering Test Management 7.0.0 and 7.0.1, Rational Quality Manager 6.0.6 and 6.0.6.1, Rational Rhapsody Model Manager 6.0.6, 6.0.6.1, and 7.0, Rational DOORS Next Generation 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2, Engineering Lifecycle Optimization 7.0, 7.0.1, and 7.0.2, Rational Engineering Lifecycle Manager 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2, and Rational Collaborative Lifecycle Management 6.0.6 and 6.0.6.1

Exploitation Mechanism

The vulnerability, rated with a medium severity base score, requires user interaction for exploitation. This allows threat actors to alter the intended functionality of the Web UI, potentially leading to credentials disclosure within trusted sessions.

Mitigation and Prevention

Taking immediate action is crucial to secure affected systems and prevent potential exploitation.

Immediate Steps to Take

Users are advised to apply official fixes provided by IBM to address the cross-site scripting vulnerability in the affected products. It is recommended to validate and deploy the necessary patches promptly.

Long-Term Security Practices

Implementing robust security measures, including regular security assessments, user training on safe browsing practices, and monitoring for suspicious activities, can help mitigate the risk of similar vulnerabilities in the future.

Patching and Updates

Regularly check for security updates and patches released by IBM for the affected products to ensure that systems are protected from known vulnerabilities.