Multiple vulnerabilities in Blackberry Workspaces Server
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-9368 CVE-2017-9367 |
| CWE-ID | CWE-200 CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
BlackBerry Workspaces Appliance-X Server applications / Other server solutions BlackBerry Workspaces vApp Server applications / Other server solutions |
| Vendor | BlackBerry |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU8849
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-9368
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists in a file server API due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP GET requests to the API, trick the victim into following it and gain access to source code for server-side applications.
Successful exploitation of the vulnerability results in information disclosure.
Update Appliance-X to version 1.12.0.
Update vApp to version 5.7.2.
BlackBerry Workspaces Appliance-X: 1.7.0 - 1.11.2
BlackBerry Workspaces vApp: 5.5.9 - 5.6.6
CPE2.3- cpe:2.3:a:blackberry:blackberry_workspaces_appliance-x:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_appliance-x:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_appliance-x:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_vapp:5.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_vapp:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_vapp:5.6.1:*:*:*:*:*:*:*
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000045696
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Directory traversal
EUVDB-ID: #VU8850
Risk: Low
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-9367
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to directory traversal. A remote attacker can send a specially crafted POST request, upload a web shell to the server’s webroot, execute arbitrary files, or reveal the content of arbitrary files anywhere on the web server.
Successful exploitation of the vulnerability may result in system compromise.
Mitigation
Update Appliance-X to version 1.12.0.
Update vApp to version 5.7.2.
BlackBerry Workspaces Appliance-X: 1.7.0 - 1.11.2
BlackBerry Workspaces vApp: 5.5.9 - 5.6.6
CPE2.3- cpe:2.3:a:blackberry:blackberry_workspaces_appliance-x:1.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_appliance-x:1.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_appliance-x:1.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_vapp:5.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_vapp:5.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:blackberry:blackberry_workspaces_vapp:5.6.1:*:*:*:*:*:*:*
https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumber=000045696
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
