SQL injection in IBM Business Process Manager
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-1674 |
| CWE-ID | CWE-89 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Business Process Manager Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) SQL injection
EUVDB-ID: #VU14916
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-1674
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to execute arbitrary SQL commands in application database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can send a specially crafted request to vulnerable applicatoin and execute arbitrary SQL commands in application's database.
Successful exploitation of this vulnerability may allow a remote attacker to read, alter or modify data in database.
MitigationInstall updates from vendor's website:
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
- Install CF 18.0.0.1 (released 2018.07) and then apply iFix JR59569
For IBM BPM V8.6.0.0 (released 2017.09) through V8.6.0.0 CF2018.03
- Install CF 2017.12 or later and then apply iFix JR59569 (Note that the BPM V8.6.0.0 CF2018.03 fix can be found by searching for Business Automation Workflow fixes)
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
- Install CF 2017.06 and then apply iFix JR59569
For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
For IBM BPM V8.5.5.0
- Apply iFix JR59569
For IBM BPM V8.5.0.0 through V8.5.0.2
- Install Fix Pack 2 as required by iFix and then apply iFix JR59569
Vulnerable software versions
IBM Business Process Manager: 8.5.0.0 - 18.0.0.1
CPE2.3- cpe:2.3:a:ibm_corporation:ibm_business_process_manager:8.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_business_process_manager:8.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:ibm_corporation:ibm_business_process_manager:8.5.0.2:*:*:*:*:*:*:*
https://www-01.ibm.com/support/docview.wss?uid=ibm10720035
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
