Direct links to fixes
APAR status
Closed as fixed if next.
Error description
CSRF attacks force an authenticated victim's browser to send an unauthenticated request to a vulnerable web application, which then performs unauthorized action on behalf of the attacker. This issue has been identified in various places throughout the application. This APAR is specifically for the example below. Reproduction steps: 1. Set the KNOWN_REFERRER_LIST to the host name 2. Restart the Tririga Application Server 3. Navigate to the Configure -> People -> Employees 4. Select any existing employee 5. Click on Delete button and intercept the form (See sample form below) 6. Change the sNo field in the form to that of another user 7. Save the form as an html file and open in the browser where you are currently logged on to Tririga 8. Submit the CSRF form and see that the other user is deleted
Local fix
No
Problem summary
TITLE: IBM TRIRIGA Application Platform is vulnerable to a Cross Site Request Forgery Attack. (CVE-2016-0386) CVEID: CVE-2016-0386CVSS Base Score: 8CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112360 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Problem conclusion
Resolution for this issue is targeted to the 1h2016 release, 3.5.0.2, 3.4.2.4 and 3.3.2.6 fix packs
Temporary fix
Comments
APAR Information
APAR number
IV83657
Reported component name
TRI APP PLTFM R
Reported component ID
5725F26RE
Reported release
350
Status
CLOSED FIN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-04-12
Closed date
2016-04-20
Last modified date
2016-04-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Modules/Macros
999
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHEB3","label":"IBM TRIRIGA Application Platform"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"350","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
30 March 2022