SB20240417121 - Multiple vulnerabilities in IBM Sterling Order Management

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20240417121

SB20240417121 - Multiple vulnerabilities in IBM Sterling Order Management

Published: April 17, 2024

Security Bulletin ID SB20240417121
Severity
High
Patch available
YES
Number of vulnerabilities 23
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 65% Medium 35%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 23 secuirty vulnerabilities.


1) Code Injection (CVE-ID: CVE-2021-31805)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation caused by incomplete fix for #VU48815 (CVE-220-17530). Still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Input validation error (CVE-ID: CVE-2013-2248)

The vulnerability allows a remote attacker to perform redirect attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can redirect users to arbitrary web sites and conduct phishing attacks via a URL in a parameter using the (1) redirect: or (2) redirectAction: prefix.


3) Code Injection (CVE-ID: CVE-2013-2135)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.


4) Code Injection (CVE-ID: CVE-2013-2134)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching


5) Code Injection (CVE-ID: CVE-2013-1966)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.


6) Improper Handling of Parameters (CVE-ID: CVE-2013-1965)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of parameters. A remote unauthenticated attacker can trigger vulnerability and execute arbitrary OGNL code via a crafted parameter name.


7) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-4387)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to application does not properly impose security restrictions. A remote attacker can cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.


8) Input validation error (CVE-ID: CVE-2012-0838)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Struts evaluates a string as an OGNL expression during the handling of a conversion error. A remote attacker can pass specially crafted input to the application to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.


9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2012-0393)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to parameterInterceptor component in Apache Struts does not prevent access to public constructors. A remote attacker can create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.


10) Code Injection (CVE-ID: CVE-2012-0392)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper access restrictions within the CookieInterceptor component in Apache Struts. A remote attacker can send a specially crafted HTTP Cookie header that triggers Java code execution through a static method and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


11) Code Injection (CVE-ID: CVE-2012-0391)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation within the ExceptionDelegator component in Apache Struts when interpreting parameter values as OGNL expressions during certain exception handling for mismatched data types of properties. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


12) Security features bypass (CVE-ID: CVE-2010-1870)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to OGNL extensive expression evaluation capability in XWork in Struts uses a permissive whitelist. A remote attacker can bypass security restrictions.


13) Code Injection (CVE-ID: CVE-2020-17530)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation when processing certain tag's attributes. The application performs double evaluation of the code if a developer applied forced OGNL evaluation by using the %{...} syntax. A remote attacker can send a specially crafted request to the application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


14) Improper access control (CVE-ID: CVE-2019-0233)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due stack-accessible values (e.g. Action properties) of type java.io.File and java.nio.File as well as other classes from these standard library packages are not properly protected by the framework. When a file upload is performed to an Action that exposes the file with a getter, an attacker may manipulate the request such that the working copy of the uploaded file is set to read-only. As a result, subsequent actions on the file will fail with an error. It might also be possible to set the Servlet container's temp directory to read only, such that subsequent upload actions will fail.


15) Code Injection (CVE-ID: CVE-2019-0230)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The Apache Struts frameworks, when forced, performs double evaluation of attributes' values assigned to certain tags attributes such as id so it is possible to pass in a value that will be evaluated again when a tag's attributes will be rendered. With a carefully crafted request, this can lead to Remote Code Execution (RCE).

The problem only applies when forcing OGNL evaluation inside a Struts tag attribute, when the expression to evaluate references raw, unvalidated input that an attacker is able to directly modify by crafting a corresponding request.

Example:

<s:url var="url" namespace="/employee" action="list"/><s:a id="%{skillName}" href="%{url}">List available Employees</s:a>

If an attacker is able to modify the skillName attribute in a request such that a raw OGNL expression gets passed to the skillName property without further validation, the provided OGNL expression contained in the skillName attribute gets evaluated when the tag is rendered as a result of the request.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


16) Remote code execution (CVE-ID: CVE-2017-12611)

The vulnerability allows a remote attacker to execute arbitrary code.

The weakness exists due to the unsafe use of writable expression values in Freemarker content. A remote attacker can add malicious values to writable expressions that the attacker submits to the affected application for processing and execute arbitrary code in the security context of the affected application.

17) Stack-based buffer overflow (CVE-ID: CVE-2016-4436)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists via vectors related to improper action name clean up.. A remote unauthenticated attacker can trigger the vulnerability and execute arbitrary code on the target system.


18) Improper Handling of Parameters (CVE-ID: CVE-2016-3082)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper handling of parameters. A remote unauthenticated attacker can trigger vulnerability and execute arbitrary code via the stylesheet location parameter.


19) Input validation error (CVE-ID: CVE-2015-5209)

The vulnerability allows a remote attacker to modify data on the system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.


20) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0113)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to CookieInterceptor in Apache Struts does not properly restrict access to the getClass method, when a wildcard cookiesName value is used. A remote attacker can "manipulate" the ClassLoader and execute arbitrary code via a crafted request.


21) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0112)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to improper access restrictions within the getClass method in ParametersInterceptor. A remote non-authenticated attacker can manipulate the ClassLoader via a specially crafted request and execute arbitrary code on the system.

Note, the vulnerability exists due to incomplete fix for #VU5234 (CVE-2014-0094).


22) Configuration (CVE-ID: CVE-2013-4316)

The issue may allow a remote attacker to bypass implemented security restrictions.

The issue exists due to Apache Struts enables Dynamic Method Invocation by default. A remote attacker can trigger the vulnerability to bypass implemented security restrictions.


23) Code Injection (CVE-ID: CVE-2013-2115)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability occurs when a crafted request is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.


Remediation

Install update from vendor's website.

References