Security bulletin: IBM PowerHA SystemMirror for IBM i is vulnerable to multiple vulnerabilities in the PowerHA Web interface.
The PowerHA web interface makes it easy to manage PowerHA operations from a web browser.
The IBM PowerHA SystemMirror web interface for IBM i is vulnerable to obtaining cookie values (CVE-2024-55897) and hijacking user clicks (CVE-2024-55896), as described in the vulnerability details section. This bulletin identifies the vulnerabilities and the various steps to be taken to correct them.
[CVE-2024-55897] CVSS score : 5.4
IBM PowerHA SystemMirror for i contains inappropriate restrictions when rendering content via iFrames. This vulnerability could allow an attacker to gain inappropriate access and perform unauthorized actions on the system.
[CVE-2024-55896] CVSS score: 4.3
IBM PowerHA SystemMirror for IBM i does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to obtain cookie values by sending a link http:// to a user, or by placing this link on a site the user visits. The cookie will be sent to the insecure link, and the attacker can then obtain the cookie value by spying on the traffic.
PTF issues for IBM i 5770-HAS contain fixes for these vulnerabilities.
Please note that these TFPs only apply to IBM i versions 7.5 and 7.4.
For further information on the alert bulletin, here is a link to the official publication of the support site: https: //lnkd.in/eDyADKz9
