Multiple vulnerabilities in IBM Intelligent Operations Center (IOC)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2018-8013 CVE-2017-5662 CVE-2015-0250 |
| CWE-ID | CWE-502 CWE-611 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM Intelligent Operations Center Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Deserialization of untrusted data
EUVDB-ID: #VU13059
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-8013
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to insufficient validation of user-supplied data. A remote attacker can supply specially crafted data, trigger a deserialization error in a subclass of 'AbstractDocuent' and access potentially sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Intelligent Operations Center: before 5.2.4
External linkshttp://www.ibm.com/support/pages/node/7030598
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) XXE attack
EUVDB-ID: #VU13180
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5662
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to conduct XXE-attack on the target system.
The weakness exists due to improper restriction of XML external entity references. A remote attacker can supply specially crafted xml document to gain access to arbitrary files or conduct amplification attack to cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsIBM Intelligent Operations Center: before 5.2.4
External linkshttp://www.ibm.com/support/pages/node/7030598
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU78255
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2015-0250
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows remote attackers to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can read arbitrary files or cause a denial of service via a crafted SVG file.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Intelligent Operations Center: before 5.2.4
External linkshttp://www.ibm.com/support/pages/node/7030598
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
