Multiple vulnerabilities in IBM B2B Advanced Communications



Published: 2023-02-21
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2014-0114
CVE-2019-10086
CWE-ID CWE-470
CWE-693
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerable software
Subscribe 		Multi-Enterprise Integration Gateway
Other software / Other software solutions

B2B Advanced Communications
Other software / Other software solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Unsafe reflection

EUVDB-ID: #VU65653

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2014-0114

CWE-ID: CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to Apache Commons BeanUtils does not suppress the class property. A remote unauthenticated attacker can manipulate the ClassLoader and execute arbitrary code via the class parameter

Mitigation

Install update from vendor's website.

Vulnerable software versions

Multi-Enterprise Integration Gateway: before 1.0.0.8

B2B Advanced Communications: before 1.0.0.8

CPE2.3 External links

http://www.ibm.com/support/pages/node/6956838


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Protection mechanism failure

EUVDB-ID: #VU20844

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10086

CWE-ID: CWE-693 - Protection Mechanism Failure

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exist due to Beanutils is not using by default the a special BeanIntrospector class in PropertyUtilsBean that was supposed to suppress the ability for an attacker to access the classloader via the class property available on all Java objects. A remote attacker can abuse such application behavior against applications that were developed to rely on this security feature.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Multi-Enterprise Integration Gateway: before 1.0.0.8

B2B Advanced Communications: before 1.0.0.8

CPE2.3 External links

http://www.ibm.com/support/pages/node/6956838


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###