Session Cookie Set Without 'Secure' Attribute in PowerHA Web Interface

FI-2025-002 - Session Cookie Set Without 'Secure' Attribute in PowerHA Web Interface

Severity
Medium
Published Date
07-Jan-2025
Updated Date
07-Jan-2025
Vulnerabilities
CVE-2024-55897
 
Notes
Description

PowerHA does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

 

Vulnerabilities

 
Session Cookie Set Without 'Secure' Attribute in PowerHA Web Interface
Severity
Medium
CVE
CVE-2024-55897
CWE
CWE-614:Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Discovery Date
17-Nov-2023
CSSv3.1
4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Affected Products
PowerHA 7.5
PowerHA 7.5
Vulnerability Notes
Remediation: Vendor Fix

The issues can be fixed by applying a PTF to IBM i.  IBM i releases 7.5 and 7.4 will be fixed.
The IBM i PTF numbers for 5770-HAS contain the fix for the vulnerabilities.
 
 
References
 

References

 
Stay Current, Stay Safe

Get Fortra product security advisories delivered to your inbox.