#VU14916 SQL injection in IBM Business Process Manager - CVE-2018-1674
Vulnerability identifier: #VU14916
Vulnerability risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID:
CWE-ID:
CWE-89
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
IBM Business Process Manager
Server applications /
Other server solutions
Vendor: IBM Corporation
Description
The disclosed vulnerability allows a remote attacker to execute arbitrary SQL commands in application database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can send a specially crafted request to vulnerable applicatoin and execute arbitrary SQL commands in application's database.
Successful exploitation of this vulnerability may allow a remote attacker to read, alter or modify data in database.
Mitigation
Install updates from vendor's website:
For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1
- Install CF 18.0.0.1 (released 2018.07) and then apply iFix JR59569
For IBM BPM V8.6.0.0 (released 2017.09) through V8.6.0.0 CF2018.03
- Install CF 2017.12 or later and then apply iFix JR59569 (Note that the BPM V8.6.0.0 CF2018.03 fix can be found by searching for Business Automation Workflow fixes)
For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06
- Install CF 2017.06 and then apply iFix JR59569
For IBM BPM V8.5.6.0 through V8.5.6.0 CF2
For IBM BPM V8.5.5.0
- Apply iFix JR59569
For IBM BPM V8.5.0.0 through V8.5.0.2
- Install Fix Pack 2 as required by iFix and then apply iFix JR59569
Vulnerable software versions
IBM Business Process Manager: 8.5.0.0 - 18.0.0.1
External links
https://www-01.ibm.com/support/docview.wss?uid=ibm10720035
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
