cnvd - cnvd-2015-04402

CNVD-2015-04402

Vulnerability from cnvd - Published: 2015-07-13

Title

IBM Business Process Manager和WebSphere Lombardi Edition安全绕过漏洞

Description

IBM Business Process Manager（BPM)是美国IBM公司的一套综合的业务流程管理平台，它为业务的流程建模、组装、监控和部署提供了一系列的相关工具。WebSphere Lombardi Edition（WLE）是BPM产品的前身。 IBM BPM和WLE中存在安全绕过漏洞。攻击者可以利用此漏洞绕过安全限制或执行未经授权的操作;这可能有助于发动进一步的攻击。

Severity

中

Patch Name

IBM Business Process Manager和WebSphere Lombardi Edition安全绕过漏洞的补丁

Patch Description

BM Business Process Manager（BPM)是美国IBM公司的一套综合的业务流程管理平台，它为业务的流程建模、组装、监控和部署提供了一系列的相关工具。WebSphere Lombardi Edition（WLE）是BPM产品的前身。IBM BPM和WLE中存在安全绕过漏洞。攻击者可以利用此漏洞绕过安全限制或执行未经授权的操作;这可能有助于发动进一步的攻击。目前，厂商已经发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www-01.ibm.com/support/docview.wss?uid=swg27039722

Reference

http://www.securityfocus.com/bid/73274

Impacted products

Name
IBM WebSphere Lombardi Edition 7.2.0

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "73274"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-0110"
    }
  },
  "description": "IBM Business Process Manager\uff08BPM)\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\uff0c\u5b83\u4e3a\u4e1a\u52a1\u7684\u6d41\u7a0b\u5efa\u6a21\u3001\u7ec4\u88c5\u3001\u76d1\u63a7\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u76f8\u5173\u5de5\u5177\u3002WebSphere Lombardi Edition\uff08WLE\uff09\u662fBPM\u4ea7\u54c1\u7684\u524d\u8eab\u3002\r\n\r\nIBM BPM\u548cWLE\u4e2d\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u6216\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c;\u8fd9\u53ef\u80fd\u6709\u52a9\u4e8e\u53d1\u52a8\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002",
  "discovererName": "IBM",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\nhttp://www-01.ibm.com/support/docview.wss?uid=swg27039722",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-04402",
  "openTime": "2015-07-13",
  "patchDescription": "BM Business Process Manager\uff08BPM)\u662f\u7f8e\u56fdIBM\u516c\u53f8\u7684\u4e00\u5957\u7efc\u5408\u7684\u4e1a\u52a1\u6d41\u7a0b\u7ba1\u7406\u5e73\u53f0\uff0c\u5b83\u4e3a\u4e1a\u52a1\u7684\u6d41\u7a0b\u5efa\u6a21\u3001\u7ec4\u88c5\u3001\u76d1\u63a7\u548c\u90e8\u7f72\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u76f8\u5173\u5de5\u5177\u3002WebSphere Lombardi Edition\uff08WLE\uff09\u662fBPM\u4ea7\u54c1\u7684\u524d\u8eab\u3002IBM BPM\u548cWLE\u4e2d\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\u6216\u6267\u884c\u672a\u7ecf\u6388\u6743\u7684\u64cd\u4f5c;\u8fd9\u53ef\u80fd\u6709\u52a9\u4e8e\u53d1\u52a8\u8fdb\u4e00\u6b65\u7684\u653b\u51fb\u3002\u76ee\u524d\uff0c\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "IBM Business Process Manager\u548cWebSphere Lombardi Edition\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "IBM WebSphere Lombardi Edition 7.2.0"
  },
  "referenceLink": "http://www.securityfocus.com/bid/73274",
  "serverity": "\u4e2d",
  "submitTime": "2015-07-09",
  "title": "IBM Business Process Manager\u548cWebSphere Lombardi Edition\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2015-0110 (GCVE-0-2015-0110)

Vulnerability from cvelistv5 – Published: 2017-09-15 20:00 – Updated: 2024-08-06 03:55

Summary

IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL.

Severity ?

No CVSS data available.

CWE

Assigner

ibm

References

URL

Tags

	https://www-304.ibm.com/support/docview.wss?uid=s…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/73274	vdb-entryx_refsource_BID

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T03:55:28.166Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www-304.ibm.com/support/docview.wss?uid=swg21694940"
          },
          {
            "name": "73274",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/73274"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-03-13T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-09-15T19:57:01",
        "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
        "shortName": "ibm"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www-304.ibm.com/support/docview.wss?uid=swg21694940"
        },
        {
          "name": "73274",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/73274"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@us.ibm.com",
          "ID": "CVE-2015-0110",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "IBM Business Process Manager (aka BPM) 7.5.x, 8.0.x, and 8.5.x and WebSphere Lombardi Edition (aka WLE) 7.2.x allow remote authenticated users to bypass intended access restrictions on internal service types via vectors involving the executeServiceByName URL."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www-304.ibm.com/support/docview.wss?uid=swg21694940",
              "refsource": "CONFIRM",
              "url": "https://www-304.ibm.com/support/docview.wss?uid=swg21694940"
            },
            {
              "name": "73274",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/73274"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
    "assignerShortName": "ibm",
    "cveId": "CVE-2015-0110",
    "datePublished": "2017-09-15T20:00:00",
    "dateReserved": "2014-11-18T00:00:00",
    "dateUpdated": "2024-08-06T03:55:28.166Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2015-04402

CVE-2015-0110 (GCVE-0-2015-0110)

Tags

Sightings

Nomenclature