Vendor description
"IBM® Sterling B2B Integrator helps companies integrate all their complex B2B and EDI processes across partner communities in a single gateway. It provides a flexible platform, available on premises or through hybrid cloud, that supports data transformation and most communication protocols; secures your B2B network and data; provides certified container support; and achieves high availability for operations with IBM Sterling Global Mailbox. B2B Integrator enables you to reduce costs by consolidating on a single platform and automating B2B processes across enterprises, while providing governance, adherence to standards and visibility for those processes."
Source: www.ibm.com/products/b2b-integrator
Business recommendation
SEC Consult recommends updating to the latest version of IBM Sterling B2B Integrator.
An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues.
Vulnerability overview/description
1) Reflected Cross-Site Scripting (CVE-2021-20562)
A reflected cross-site scripting vulnerability has been identified across multiple functions in the mailbox component of IBM Sterling B2B Integrator, which can be exploited under the specific condition of a victim's session.
Proof of concept
1) Reflected Cross-Site Scripting (CVE-2021-20562)
The "securetoken" parameter of the following scripts is affected by the reflected cross-site scripting vulnerability:
/mailbox/jsp/MBIList.jsp
/mailbox/jsp/MBISearch.jsp
/mailbox/jsp/MBISend.jspThe exploitation is successful if the "SCI_DLSSO" cookie is valid, and the "JSESSIONID" cookie of the mailbox is invalid or does not exist. One of the possible scenarios to meet this condition is proceeding to the following steps:
1. Log in to the dashboard via "https:// <host>/dashboard/Login" to obtain an "SCI_DLSSO" cookie.
2. Visit the mailbox web page via "https:// <host>/mailbox", which gets logged in automatically since the web browser sends the "SCI_DLSSO" cookie from the step 1 to obtain a "JSESSIONID" cookie of the mailbox (Path=/mailbox/).
3. Log out of the dashboard via "https:// <host>/dashboard/Logout". The server appears to invalidate both "SCI_DLSSO" cookie in the step 1 and mailbox's "JSESSIONID" cookie in the step 2.
4. Log in to the dashboard via "https:// <host>/dashboard/Login" again to obtain a new "SCI_DLSSO" cookie.
5. Visit one of the following attacker-prepared URLs, where the web browser uses the mailbox's "JSESSIONID" cookie in the step 2 and the "SCI_DLSSO" cookie in the step 4, as follows:
https:// <host>/mailbox/jsp/MBIList.jsp?securetoken=%3C/script%3E%3Cscript%3Ealert(location.origin);%3C/script%3E%3Cscript%3E
https:// <host>/mailbox/jsp/MBISearch.jsp?securetoken=%27%22)%3C/a%3E%3Csvg/onload%3dalert(location.origin)%3E
https:// <host>/mailbox/jsp/MBISend.jsp?securetoken=%27)%22%3E%3Csvg/onload=alert(location.origin)%3E
Vulnerable / tested versions
The version 6.1.0.0 has been tested. According to the vendor, the following product versions are affected:
* 5.2.0.0 - 5.2.6.5_3
* 6.0.0.0 - 6.0.3.4
* 6.1.0.0 - 6.1.0.2