Main Vulnerability Database Vulnerabilities #VU14916

SQL injection in IBM Business Process Manager - CVE-2018-1674

Published: September 27, 2018

Vulnerability identifier: #VU14916

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-1674

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
IBM Business Process Manager

Detailed vulnerability description

The disclosed vulnerability allows a remote attacker to execute arbitrary SQL commands in application database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can send a specially crafted request to vulnerable applicatoin and execute arbitrary SQL commands in application's database.

Successful exploitation of this vulnerability may allow a remote attacker to read, alter or modify data in database.

How to mitigate CVE-2018-1674

Install updates from vendor's website:

For IBM Business Automation Workflow V18.0.0.0 through V18.0.0.1

Install CF 18.0.0.1 (released 2018.07) and then apply iFix JR59569

For IBM BPM V8.6.0.0 (released 2017.09) through V8.6.0.0 CF2018.03

Install CF 2017.12 or later and then apply iFix JR59569 (Note that the BPM V8.6.0.0 CF2018.03 fix can be found by searching for Business Automation Workflow fixes)

For IBM BPM V8.5.7.0 through V8.5.7.0 CF 2017.06

Install CF 2017.06 and then apply iFix JR59569

For IBM BPM V8.5.6.0 through V8.5.6.0 CF2

Install CF2 as required by iFix and then apply iFix JR59569

For IBM BPM V8.5.5.0

Apply iFix JR59569

For IBM BPM V8.5.0.0 through V8.5.0.2

Install Fix Pack 2 as required by iFix and then apply iFix JR59569

Sources

http://www-01.ibm.com/support/docview.wss?uid=ibm10720035

SQL injection in IBM Business Process Manager - CVE-2018-1674

Detailed vulnerability description

How to mitigate CVE-2018-1674

Sources

Please verify you're human