Technical Tip: JAZZ-208: Operator sessions are unable to expire

Release Date:

9th July, 2019.

Overview:

Operator sessions are kept alive by automatic polling of the Jazz Infrastructure API even when there is no user input.

Affected Products:

• All Jazz Infrastructure up to and including version 5.0.2, and Jazz Cloud before 8th July 2019.

Unaffected Products:

• Jazz Infrastructure from version 5.0.3 onwards, and the current Jazz Cloud.

Resolution:

This issue has been fixed in Jazz Infrastructure version 5.0.3.

On-premises installations running an affected version are advised to upgrade at the earliest convenience. Releases are available to download through the Jazz Networks support portal.

A fix was deployed to the Jazz Cloud on 8th July 2019. Jazz Cloud customers do not need to take any additional action.

Vulnerability Information:

Operator sessions on the following pages do not time out: #landing, #actions #cases/<id>, #admin/status, #forensics/user/<id>/passport/atlas, and #forensics/user/<id>/actions/atlas.

• CVE: pending.
• CVSSv3 score: 4.8 (Medium).
• CVSSv3 vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/RL:O/RC:C

Acknowledgments:

Issue found internally by Jazz Networks.

Disclosure Timeline:

• 20/06/2019 Issue found internally by Jazz Networks.
• 20/06/2019 Root cause established.
• 20/06/2019 Fix identified.
• 08/07/2019 Patched Jazz Cloud released.
• 09/07/2019 Patched Jazz Infrastructure released.
• 09/07/2019 Vulnerability disclosed.