Insecure dynamic library loading in IBM Cloud Automation Manager
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-14271 |
| CWE-ID | CWE-427 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
IBM Cloud Automation Manager Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Insecure dynamic library loading
EUVDB-ID: #VU20969
Risk: Medium
CVSSv4.0: 7.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2019-14271
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to compromise vulnerable system.
The vulnerability exists due to the application loads NSS libraries in docker cp
in an insecure manner. A local attacker can pass a specially crafted library file to the application and execute arbitrary code on the system with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Automation Manager: All versions
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/1072204
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
