Vulnerability Name:

CVE-2021-39038 (CCN-213968)

Assigned:2021-08-16
Published:2022-02-23
Updated:2022-03-03
Summary:IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.2 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 213968.
CVSS v3 Severity:5.4 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
4.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
4.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)
3.9 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
3.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-1021
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-39038

Source: XF
Type: UNKNOWN
ibm-websphere-cve202139038-clickjacking(213968)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-websphere-cve202139038-clickjacking (213968)

Source: CCN
Type: IBM Security Bulletin 6559044 (WebSphere Application Server Liberty)
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038)

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.ibm.com/support/pages/node/6559044

Source: CCN
Type: IBM Security Bulletin 6565789 (Liberty for Java)
Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038)

Source: CCN
Type: IBM Security Bulletin 6568369 (i)
IBM WebSphere Application Server Liberty for IBM i is affected by arbitrary code execution and other attacks due to multiple vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6573943 (PowerVM NovaLink)
Due to WebSphere Liberty is vulnerable, PowerVM Novalink could allow a remote attacker to hijack the clicking action of the victim.

Source: CCN
Type: IBM Security Bulletin 6578583 (Cloud Pak for Business Automation)
Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022

Source: CCN
Type: IBM Security Bulletin 6579141 (Spectrum Scale)
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39038)

Source: CCN
Type: IBM Security Bulletin 6582695 (Cloud Transformation Advisor)
IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6587489 (Voice Gateway)
Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6587963 (Rational Asset Analyzer)
Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-39038, CVE-1999-0002)

Source: CCN
Type: IBM Security Bulletin 6589115 (Elastic Storage System)
A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM ESS ( CVE-2021-39031)

Source: CCN
Type: IBM Security Bulletin 6591057 (Watson Explorer)
Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038)

Source: CCN
Type: IBM Security Bulletin 6592587 (WIoTP MessageGateway)
Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight

Source: CCN
Type: IBM Security Bulletin 6593121 (TXSeries for Multiplatforms)
A vulnerability (CVE-2021-39028) in WebSphere Application Server Liberty affects IBM TXSeries for Multiplatforms

Source: CCN
Type: IBM Security Bulletin 6593879 (Watson Knowledge Catalog on-prem)
Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 6595095 (CICS TX Advanced)
A vulnerability (CVE-2021-39028) in WebSphere Application Server Liberty affects IBM CICS TX Advanced

Source: CCN
Type: IBM Security Bulletin 6595099 (CICS TX Standard)
A vulnerability (CVE-2021-39028) in WebSphere Application Server Liberty affects IBM CICS TX Standard

Source: CCN
Type: IBM Security Bulletin 6599709 (Tivoli Netcool/Impact)
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2021-39038)

Source: CCN
Type: IBM Security Bulletin 6602255 (MQ Operator CD release)
IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038)

Source: CCN
Type: IBM Security Bulletin 6618729 (Intelligent Operations Center)
A vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Intelligent Operations Center(CVE-2021-39038)

Source: CCN
Type: IBM Security Bulletin 6829315 (InfoSphere Information Server)
A clickjacking vulnerability in WebSphere Application Server Liberty affects IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 9.0.0.0 and < 9.0.5.12)
  • OR cpe:/a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* (Version >= 17.0.0.3 and <= 22.0.0.2)

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:17.0.0.3:*:*:*:liberty:*:*:*
  • AND
  • cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:11.0.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:11.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:11.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_scale:5.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.1.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_transformation_advisor:2.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:iot_messagesight:5.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:watson_explorer:12.0.3:*:deep_analytics:*:analytical_components:*:*:*
  • OR cpe:/a:ibm:txseries:8.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:8.2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:9.1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_asset_analyzer:6.1.0.23:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:intelligent_operations_center:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spectrum_scale:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:voice_gateway:1.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:elastic_storage_system:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:txseries:9.1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.1:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.2:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_business_automation:21.0.3:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:cics_tx:11.1:*:*:*:advanced:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere application server *
    ibm websphere application server *
    ibm websphere application server 9.0
    ibm websphere application server 17.0.0.3
    ibm i 7.2
    ibm tivoli netcool/impact 7.1.0
    ibm watson explorer 11.0.0
    ibm i 7.3
    ibm watson explorer 11.0.1
    ibm watson explorer 11.0.2
    ibm infosphere information server 11.7
    ibm spectrum scale 5.0.0
    ibm rational asset analyzer 6.1.0.0
    ibm watson explorer 12.0.0
    ibm watson explorer 12.0.1
    ibm watson explorer 12.0.2
    ibm intelligent operations center 5.1.0
    ibm intelligent operations center 5.1.0.2
    ibm intelligent operations center 5.1.0.3
    ibm intelligent operations center 5.1.0.4
    ibm intelligent operations center 5.1.0.6
    ibm cognos controller 10.4.0
    ibm i 7.4
    ibm cognos controller 10.4.1
    ibm cloud transformation advisor 2.0.1
    ibm iot messagesight 5.0.0.0
    ibm watson explorer 12.0.3
    ibm txseries 8.2.0.0
    ibm txseries 8.2.0.2
    ibm txseries 9.1.0.0
    ibm rational asset analyzer 6.1.0.23
    ibm intelligent operations center 5.2
    ibm intelligent operations center 5.2.1
    ibm cognos controller 10.4.2
    ibm spectrum scale 5.1.0
    ibm voice gateway 1.0.7
    ibm elastic storage system 6.0.0
    ibm txseries 9.1.0.2
    ibm cloud pak for business automation 21.0.1 -
    ibm cloud pak for business automation 21.0.2 -
    ibm cloud pak for business automation 21.0.3 -
    ibm cics tx 11.1
    ibm cics tx 11.1