SB2024053143 - Multiple vulnerabilities in IBM Sterling Order Management

Security Bulletin ID SB2024053143

Severity

Critical

Patch available

YES

Number of vulnerabilities 14

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2016-4003)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Cross-site scripting (CVE-ID: CVE-2015-5169)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

3) Cross-site scripting (CVE-ID: CVE-2015-2992)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

4) Input validation error (CVE-ID: CVE-2013-2251)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0116)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to CookieInterceptor in Apache Struts does not properly restrict access to the getClass method, when a wildcard cookiesName value is used. A remote attacker can "manipulate" the ClassLoader and modify the session state via a crafted request.

6) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4310)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.

7) Input validation error (CVE-ID: CVE-2016-3093)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

8) Cross-site request forgery (CVE-ID: CVE-2012-4386)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to token check mechanism in Apache Struts does not properly validate the token name configuration parameter. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

9) Command Injection (CVE-ID: CVE-2016-3081)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient filtration of user-supplied data, when Dynamic Method Invocation is enabled. A remote attacker can pass arbitrary commands via the method: prefix and execute them on the server.

10) Security bypass (CVE-ID: CVE-2014-0094)

The vulnerability allows a remote attacker to bypass security restsrictions on the target system.

The weakness exists due to an error in ParametersInterceptor. A remote attacker can use a specially crafted class parameter to manipulate the ClassLoader used by the application server.

Successful exploitation of the vulnerability results in security bypass on the vulnerable system.

Note: the vulnerability was being actively exploited.

11) Cross-site scripting (CVE-ID: CVE-2012-1006)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and inject arbitrary web script or HTML via the (1) name or (2) lastName parameter to struts2-showcase/person/editPerson.action, or the (3) clientName parameter to struts2-rest-showcase/orders.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2011-5057)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to Apache Struts provides interfaces that do not properly restrict access to collections such as the session and request collections. A remote attacker can modify run-time data values via a crafted parameter to an application that implements an affected interface.

13) Cross-site request forgery (CVE-ID: CVE-2014-7809)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

14) Cross-site scripting (CVE-ID: CVE-2011-1772)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and inject arbitrary web script or HTML via vectors involving (1) an action name, (2) the action attribute of an s:submit element, or (3) the method attribute of an s:submit element.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/6620355

SB2024053143 - Multiple vulnerabilities in IBM Sterling Order Management

Breakdown by Severity

Description

Remediation

References

Please verify you're human