Multiple vulnerabilities in IBM API Connect
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2019-0211 CVE-2020-1934 CVE-2020-1927 CVE-2019-10098 CVE-2019-10092 CVE-2018-20843 CVE-2019-0220 CVE-2018-1301 CVE-2017-15715 CVE-2017-15710 CVE-2017-12613 CVE-2017-12618 CVE-2017-9798 CVE-2017-7679 |
| CWE-ID | CWE-264 CWE-457 CWE-601 CWE-20 CWE-79 CWE-611 CWE-125 CWE-787 CWE-200 CWE-416 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #1 is being exploited in the wild. Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #6 is available. Public exploit code for vulnerability #13 is available. Public exploit code for vulnerability #14 is available. |
| Vulnerable software Subscribe |
IBM API Connect Client/Desktop applications / Office applications |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU18110
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C]
CVE-ID: CVE-2019-0211
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists within MPM implementation due to the application does not properly maintain each child's listener bucket number in the scoreboard that may lead to unprivileged code or scripts run by server (e.g. via mod_php) to modify the scoreboard and abuse the privileged main process.
A local user can execute arbitrary code on the system with privileges of the Apache HTTP Server code process.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Use of Uninitialized Variable
EUVDB-ID: #VU26528
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-1934
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the "mod_proxy_ftp" may use uninitialized memory when proxying to a malicious FTP server. A remote attacker can gain unauthorized access to sensitive information on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Open redirect
EUVDB-ID: #VU26527
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-1927
CWE-ID:
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to redirect victims to arbitrary URL.
The vulnerability exists due to improper sanitization of user-supplied data in some "mod_rewrite" configurations. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.
Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU20374
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-10098
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to incorrect handling of encoded line break characters within rewrite rules. A remote attacker can send a specially crafted HTTP request and potentially bypass security restrictions.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Cross-site scripting
EUVDB-ID: #VU20384
Risk: Low
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10092
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data on the mod_proxy error page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) XML External Entity injection
EUVDB-ID: #VU18923
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-20843
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input including XML names that contain a large number of colons. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Input validation error
EUVDB-ID: #VU18113
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0220
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to the web server does not merge consecutive slashes in URLs, that can lead to incorrect processing of requests when accessing CGI programs. Such web server behavior may lead to security restrictions bypass.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds read
EUVDB-ID: #VU11281
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1301
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to improper validation of user-supplied input. A remote attacker can send a specially crafted HTTP request to trigger an out-of-bounds
memory access error after a header size limit has been reached to cause
the target service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Security restrictions bypass
EUVDB-ID: #VU11284
Risk: Low
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-15715
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists on systems that allow uploading of user-specified filenames due to the '<FilesMatch>' expression may not correctly match characters in a filename. A remote attacker can supply a specially crafted filename to potentially bypass security
controls that use the '<FilesMatch>' directive.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU11283
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-15710
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in HTTPD mod_authnz_ldap due to improper validation of user-supplied input. A remote attacker can send a specially crafted Accept-Language header value, trigger an out-of-bounds memory write error and potentially cause
the target service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Out-of-bounds read
EUVDB-ID: #VU9477
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12613
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an out-of-bounds array dereference in the
apr_time_exp_get() function. A remote attacker can access prior
out-of-bounds memory, reveal the contents of a different static heap
value and read arbitrary files or cause the application to crash.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Information disclosure
EUVDB-ID: #VU15618
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-12618
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an out-of-bounds array dereference in the apr_time_exp_get() function. A remote attacker can access prior out-of-bounds memory, reveal the contents of a different static heap value and read arbitrary files or cause the application to crash.
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free
EUVDB-ID: #VU8504
Risk: Low
CVSSv3.1: 5.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:F/RL:O/RC:C]
CVE-ID: CVE-2017-9798
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to use-after-free error when processing HTTP OPTIONS requests in server/core.c, when limits are configured in .htaccess or httpd.conf configuration files. A remote unauthenticated attacker can read portions of memory through HTTP OPTIONS requests and gain access to potentially sensitive data.
The vulnerability is dubbed Optionsbleed.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
14) Out-of-bounds read
EUVDB-ID: #VU7119
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2017-7679
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to out-of-bounds read within the mod_mime when constructing Content-Type response header. A remote attacker read one byte pas the end of a buffer when sending a malicious Content-Type response header.
Mitigation
Install update from vendor's website.
Vulnerable software versionsIBM API Connect: 5.0.0 - 5.0.8.11
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-ibm-api-connect-is-impacted-by-multiple-vulnerabilities-in-ibm-http-server/
http://www.ibm.com/support/pages/node/6489787
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
