Question & Answer
Question
We had a vulnerability flagged against the control center server. The description states - The application does not perform Subresource Integrity tests for externally acquired resources, such as JavaScript and CSS files. Does ICC support 'Subresource Integrity' checking?
Cause
We had a vulnerability flagged against the control center server. The description states - The application does not perform Subresource Integrity tests for externally acquired resources, such as JavaScript and CSS files. Subresource Integrity provides a method for website to ensure that resources have not been modified without the sites owner’s knowledge by checking resources match cryptographically secure hashes. Subresource Integrity also requires CORS support from the upstream domain. The discovery was done against Path : https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/wlp_ga_latestversion.jsAttributes : - type : text/javascript - src : https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/wlp_ga_latestversion.js
Answer
Subresource Integrity checking is intended as a safety feature to protect visitors browsing to a site hosted on web server 'A' using a 'content delivery network' (CDN) which in turn fetches some or all of it's content form a subresource being provided by another web server 'B'. By including a hashed checksum in the content header, the integrity of the received content can be checked, which prevents any malicious changes to the content by for example a hacker or administrator on seb server 'B' or by intercepting the traffic between 'A' and 'B'.
IBM Control Center, however, is a self contained application, which does not ever serve content from any CDN. Therefore this vulnerability does not apply to ICC. ICC is not a website in the usual sense, so the vulnerability wouldn't really apply. ICC is an application, used only by users within your organisation, and this should be in the first instance protected by your host access policies and procedures, so if properly implemented it should not be possible that any files could be accessed by some unauthorised means.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9GLA","label":"IBM Control Center"},"ARM Category":[],"Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Was this topic helpful?
Document Information
Modified date:
17 April 2020
UID
ibm16194415