IBM QRadar 7.3.0 to 7.3.3 Patch 2 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server. IBM X-ForceID: 175898.
{"zdt": [{"lastseen": "2020-07-19T16:06:00", "description": "QRadar Community Edition version 7.3.1.6 is vulnerable to instantiation of arbitrary objects based on user-supplied input. An authenticated attacker can abuse this to perform various types of attacks including server-side request forgery and (potentially) arbitrary execution of code.", "cvss3": {}, "published": "2020-04-24T00:00:00", "type": "zdt", "title": "QRadar Community Edition 7.3.1.6 Arbitrary Object Instantiation Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-4272"], "modified": "2020-04-24T00:00:00", "id": "1337DAY-ID-34302", "href": "https://0day.today/exploit/description/34302", "sourceData": "------------------------------------------------------------------------\r\nArbitrary class instantiation & local file inclusion vulnerability in\r\nQRadar Forensics web application\r\n\r\n------------------------------------------------------------------------\r\nAbstract\r\n------------------------------------------------------------------------\r\nIt was found that the QRadar Forensics web application is vulnerable to\r\ninstantiation of arbitrary objects based on user-supplied input. An\r\nauthenticated attacker can abuse this to perform various types of\r\nattacks including Server-Side Request Forgery and (potentially)\r\narbitrary execution of code.\r\n\r\nIn addition, the same input is also used to include PHP files, which can\r\nbe used to include arbitrary local files. By abusing the case upload\r\nfunctionality, it is possible for an authenticated user to upload a PHP\r\nfile to a known location on the system. By exploiting the local file\r\ninclusion vulnerability it is possible to run arbitrary PHP code. This\r\ncode will be executed with the privileges of the Apache system user\r\n(generally the nobody user).\r\n\r\n------------------------------------------------------------------------\r\nSee also\r\n------------------------------------------------------------------------\r\nCVE-2020-4272 [2]\r\n6189645 [3] - IBM QRadar SIEM is vulnerable to instantiation of\r\narbitrary objects (CVE-2020-4272)\r\n\r\n------------------------------------------------------------------------\r\nTested versions\r\n------------------------------------------------------------------------\r\nThis issue was successfully verified on QRadar Community Edition [4]\r\nversion 7.3.1.6 (7.3.1 Build 20180723171558).\r\n\r\n------------------------------------------------------------------------\r\nFix\r\n------------------------------------------------------------------------\r\nIBM has released the following versions of QRader in which this issue\r\nhas been resolved:\r\n\r\n- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS)\r\n- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS)\r\n- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS)\r\n- QRadar Incident Forensics 7.4.0 [8] (ISO)\r\n- QRadar Incident Forensics 7.4.0 [9] (SFS)\r\n\r\n------------------------------------------------------------------------\r\nIntroduction\r\n------------------------------------------------------------------------\r\nQRadar [10] is IBM's enterprise SIEM [11] solution. A free version of\r\nQRadar is available that is known as QRadar Community Edition [4]. This\r\nversion is limited to 50 events per second and 5,000 network flows a\r\nminute, supports apps, but is based on a smaller footprint for\r\nnon-enterprise use.\r\n\r\nThe QRadar web application contains functionality to render various\r\ngraphs. The graph that needs to be rendered is based on user-supplied\r\nrequest parameters. The correct graph and dataset classes are\r\ndynamically loaded based on these parameters. No validation is performed\r\non the user-supplied parameters, allowing authenticated users to\r\ninstantiate arbitrary classes, which can be exploited to perform various\r\nattacks including Server-Side Request Forgery and (potentially)\r\narbitrary execution of code via specially crafted Phar files [12].\r\n\r\nIn case a dataset class is provided that has not been declared (loaded)\r\nyet. The code tries to include the correct PHP file in which the class\r\nis defined. The file name of the include file is also based on the same\r\nrequest parameter. Consequently, the web application is vulnerable to\r\nlocal file inclusion.\r\n\r\nIf an attacker manages to place an arbitrary PHP file on the local\r\nsystem, it is possible to abuse this issue to run arbitrary PHP code. It\r\nwas found that the case upload functionality allows uploading of PHP\r\nfiles to a known location, thus allowing for the execution of arbitrary\r\nPHP code. This code will be executed with the privileges of the Apache\r\nsystem user (generally the nobody user).\r\n\r\n\r\n------------------------------------------------------------------------\r\nDetails\r\n------------------------------------------------------------------------\r\nThese issues are present in the graphs.php file. This PHP file accepts a\r\nnumber of request parameters, including chart, dataset, and\r\noutput_image.\r\n\r\n/opt/ibm/forensics/html/graphs.php:\r\n$chart = ( isset($_REQUEST['chart']) ?\r\nhtmlspecialchars($_REQUEST['chart']) : null );\r\n$dataClass = ( isset($_REQUEST['dataset']) ?\r\nhtmlspecialchars($_REQUEST['dataset']) : null );\r\n$output_image = ( isset($_REQUEST['output_image']) ?\r\n$_REQUEST['output_image'] : null );\r\n\r\nIf the output_image parameter is set to true, the PHP code will directly\r\ntry to instantiate an object with the name provided in the chart\r\nparameter. One argument is passed to the constructor for which its value\r\nis obtain from a request parameter with the same name as the selected\r\nclass name. If the class is successfully loaded, the drawChart() method\r\nis called - regardless of whether this method actually exists.\r\n\r\n/opt/ibm/forensics/html/graphs.php:\r\n// Present the data\r\n$cparams = $_REQUEST[$chart];\r\n$cs = new $chart($cparams);\r\nif($cs)\r\n $cs->drawChart();\r\n\r\nNo validation is performed on the user-supplied input, allowing for\r\nauthenticated attackers to instantiate practically any object in scope\r\nof the page. In addition, the first argument that is passed to the\r\nconstructor is also controlled by the attacker.\r\n\r\nWhat an attacker might do depends on the class that is instantiated and\r\nthe code that is executed by the constructor. A possible attack scenario\r\nwould be to perform a Server-Side Request Forgery attack by\r\ninstantiating a class that calls a method supporting one of the built-in\r\nPHP wrappers [13].\r\n\r\nSeveral classes exists in the Forensics code base, like the\r\nDistribConfigHelper class. There are also built-in PHP classes that are\r\nin scope and also allow for Server-Side Request Forgery, like the\r\nSplFileObject [14] class. For example:\r\n\r\nhttps://<ip>/forensics/graphs.php?chart=DistribConfigHelper&DistribConfigHelper=https://127.0.0.1/&output_image=1\r\nhttps://<ip>/forensics/graphs.php?chart=SplFileObject&SplFileObject=https://127.0.0.1/&output_image=1\r\nhttps://<ip>/forensics/graphs.php?chart=SplFileObject&SplFileObject=php://filter/read=string.toupper/resource=https://127.0.0.1/&output_image=1\r\n\r\nUsing the same PHP wrappers it is also possible to load arbitrary Phar\r\n[15] files from the local machine. A known attack [12] (by Sam Thomas\r\n[16]) exists where an attacker can trigger PHP objects to be\r\ndeserialized when a Phar file is loaded. Although code execution through\r\ndeserialization is possible in the Forensics application, exploiting\r\nthis issue is not that trivial. In particular, the attack can only be\r\nexecuted from an object with a __wakeup() or __destruct() PHP magic\r\nmethod [17]. The classes in scope of the vulnerable page don't appear to\r\nhave suitable magic methods that could be used to execute an exploit\r\n(POP) chain.\r\n\r\nBesides finding a suitable magic method, exploiting the Phar wrapper\r\nalso requires that the attacker can place a Phar file on the target\r\nsystems as Phar files can't be loaded from remote locations. It was\r\nfound that the case upload functionality allows uploading of files to a\r\nknown location. However, since the graph page also contains a local file\r\ninclusion vulnerability, it makes more sense to target that\r\nvulnerability instead.\r\n\r\nThe vulnerable code is executed in case the output_image request\r\nparameter isn't present or is set to false. In this case the requested\r\nclass name is provided in the dataset request parameter. If this class\r\nisn't (yet) in scope of the PHP page, an attempt is made to load it.\r\nThis is done by iterating though a list of predefined folder names, if a\r\nfile exists with the same name of the requested class, it will be\r\nincluded after another which check is done to see if the class is in\r\nscope.\r\n\r\n/opt/ibm/forensics/html/graphs.php:\r\n$haveDataClass = class_exists($dataClass);\r\nif(!$haveDataClass) {\r\n foreach(array('', $DEJAVU_URL. 'Reports/','reports/') as $path) {\r\n $module = $path . $dataClass . \".php\";\r\n if(file_exists($module)) {\r\n try {\r\n require_once($module);\r\n $haveDataClass = class_exists($dataClass);\r\n if($haveDataClass)\r\n break;\r\n } catch (Exception $e) {\r\n // Do nothing\r\n $msg = $e->getMessage();\r\n }\r\n }\r\n}\r\n\r\nAs no validation is done on the class name, it is possible to include\r\nfiles outside of these folder using path traversal. However this isn't\r\nreally needed as the first folder that is searched is empty, thus\r\nallowing for absolute path names. In addition, it is also possible to\r\nprovide URL type paths. The call to file_exists() will block most PHP\r\nwrappers. Some built-in wrappers will pass through the file_exists()\r\ncall, including the ftp:// [18] and ssh2.sftp:// [19] wrappers. In\r\ntheory, it should be able to include a file over (S)FTP were it not that\r\nincluding files from remote locations has been disabled in the PHP\r\nconfiguration.\r\n\r\n/etc/php.ini:\r\n; http://php.net/allow-url-include\r\nallow_url_include = Off\r\n\r\nBecause it is possible to upload arbitrary files via the case upload\r\nfunctionality, it is not that difficult to run arbitrary PHP code\r\nregardless of these restrictions. Although other methods also exists, we\r\ncan just upload a PHP file to a known location and abuse this local file\r\ninclusion vulnerability to execute the uploaded file.\r\n\r\n------------------------------------------------------------------------\r\nReferences\r\n------------------------------------------------------------------------\r\n[1] https://www.securify.nl/advisory/SFY20200407/arbitrary-class-instantiation-_-local-file-inclusion-vulnerability-in-qradar-forensics-web-application.html\r\n[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4272\r\n[3] https://www.ibm.com/support/pages/node/6189645\r\n[4] https://developer.ibm.com/qradar/ce/\r\n[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http\r\n[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http\r\n[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http\r\n[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http\r\n[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http\r\n[10] https://www.ibm.com/security/security-intelligence/qradar\r\n[11] https://en.wikipedia.org/wiki/Security_information_and_event_management\r\n[12] https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf\r\n[13] https://www.php.net/manual/en/wrappers.php\r\n[14] https://www.php.net/manual/en/splfileobject.construct.php\r\n[15] https://www.php.net/manual/en/book.phar.php\r\n[16] https://twitter.com/_s_n_t\r\n[17] https://www.php.net/manual/en/language.oop5.magic.php\r\n[18] https://www.php.net/manual/en/wrappers.ftp.php\r\n[19] https://www.php.net/manual/en/wrappers.ssh2.php\n\n# 0day.today [2020-07-19] #", "sourceHref": "https://0day.today/exploit/34302", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2020-04-25T08:10:08", "description": "", "cvss3": {}, "published": "2020-04-21T00:00:00", "type": "packetstorm", "title": "QRadar Community Edition 7.3.1.6 Arbitrary Object Instantiation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-4272"], "modified": "2020-04-21T00:00:00", "id": "PACKETSTORM:157337", "href": "https://packetstormsecurity.com/files/157337/QRadar-Community-Edition-7.3.1.6-Arbitrary-Object-Instantiation.html", "sourceData": "`------------------------------------------------------------------------ \nArbitrary class instantiation & local file inclusion vulnerability in \nQRadar Forensics web application \n------------------------------------------------------------------------ \nYorick Koster, September 2019 \n \n------------------------------------------------------------------------ \nAbstract \n------------------------------------------------------------------------ \nIt was found that the QRadar Forensics web application is vulnerable to \ninstantiation of arbitrary objects based on user-supplied input. An \nauthenticated attacker can abuse this to perform various types of \nattacks including Server-Side Request Forgery and (potentially) \narbitrary execution of code. \n \nIn addition, the same input is also used to include PHP files, which can \nbe used to include arbitrary local files. By abusing the case upload \nfunctionality, it is possible for an authenticated user to upload a PHP \nfile to a known location on the system. By exploiting the local file \ninclusion vulnerability it is possible to run arbitrary PHP code. This \ncode will be executed with the privileges of the Apache system user \n(generally the nobody user). \n \n------------------------------------------------------------------------ \nSee also \n------------------------------------------------------------------------ \nCVE-2020-4272 [2] \n6189645 [3] - IBM QRadar SIEM is vulnerable to instantiation of \narbitrary objects (CVE-2020-4272) \n \n------------------------------------------------------------------------ \nTested versions \n------------------------------------------------------------------------ \nThis issue was successfully verified on QRadar Community Edition [4] \nversion 7.3.1.6 (7.3.1 Build 20180723171558). \n \n------------------------------------------------------------------------ \nFix \n------------------------------------------------------------------------ \nIBM has released the following versions of QRader in which this issue \nhas been resolved: \n \n- QRadar / QRM / QVM / QNI 7.4.0 GA [5] (SFS) \n- QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3 [6] (SFS) \n- QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7 [7] (SFS) \n- QRadar Incident Forensics 7.4.0 [8] (ISO) \n- QRadar Incident Forensics 7.4.0 [9] (SFS) \n \n------------------------------------------------------------------------ \nIntroduction \n------------------------------------------------------------------------ \nQRadar [10] is IBM's enterprise SIEM [11] solution. A free version of \nQRadar is available that is known as QRadar Community Edition [4]. This \nversion is limited to 50 events per second and 5,000 network flows a \nminute, supports apps, but is based on a smaller footprint for \nnon-enterprise use. \n \nThe QRadar web application contains functionality to render various \ngraphs. The graph that needs to be rendered is based on user-supplied \nrequest parameters. The correct graph and dataset classes are \ndynamically loaded based on these parameters. No validation is performed \non the user-supplied parameters, allowing authenticated users to \ninstantiate arbitrary classes, which can be exploited to perform various \nattacks including Server-Side Request Forgery and (potentially) \narbitrary execution of code via specially crafted Phar files [12]. \n \nIn case a dataset class is provided that has not been declared (loaded) \nyet. The code tries to include the correct PHP file in which the class \nis defined. The file name of the include file is also based on the same \nrequest parameter. Consequently, the web application is vulnerable to \nlocal file inclusion. \n \nIf an attacker manages to place an arbitrary PHP file on the local \nsystem, it is possible to abuse this issue to run arbitrary PHP code. It \nwas found that the case upload functionality allows uploading of PHP \nfiles to a known location, thus allowing for the execution of arbitrary \nPHP code. This code will be executed with the privileges of the Apache \nsystem user (generally the nobody user). \n \n \n------------------------------------------------------------------------ \nDetails \n------------------------------------------------------------------------ \nThese issues are present in the graphs.php file. This PHP file accepts a \nnumber of request parameters, including chart, dataset, and \noutput_image. \n \n/opt/ibm/forensics/html/graphs.php: \n$chart = ( isset($_REQUEST['chart']) ? \nhtmlspecialchars($_REQUEST['chart']) : null ); \n$dataClass = ( isset($_REQUEST['dataset']) ? \nhtmlspecialchars($_REQUEST['dataset']) : null ); \n$output_image = ( isset($_REQUEST['output_image']) ? \n$_REQUEST['output_image'] : null ); \n \nIf the output_image parameter is set to true, the PHP code will directly \ntry to instantiate an object with the name provided in the chart \nparameter. One argument is passed to the constructor for which its value \nis obtain from a request parameter with the same name as the selected \nclass name. If the class is successfully loaded, the drawChart() method \nis called - regardless of whether this method actually exists. \n \n/opt/ibm/forensics/html/graphs.php: \n// Present the data \n$cparams = $_REQUEST[$chart]; \n$cs = new $chart($cparams); \nif($cs) \n$cs->drawChart(); \n \nNo validation is performed on the user-supplied input, allowing for \nauthenticated attackers to instantiate practically any object in scope \nof the page. In addition, the first argument that is passed to the \nconstructor is also controlled by the attacker. \n \nWhat an attacker might do depends on the class that is instantiated and \nthe code that is executed by the constructor. A possible attack scenario \nwould be to perform a Server-Side Request Forgery attack by \ninstantiating a class that calls a method supporting one of the built-in \nPHP wrappers [13]. \n \nSeveral classes exists in the Forensics code base, like the \nDistribConfigHelper class. There are also built-in PHP classes that are \nin scope and also allow for Server-Side Request Forgery, like the \nSplFileObject [14] class. For example: \n \nhttps://<ip>/forensics/graphs.php?chart=DistribConfigHelper&DistribConfigHelper=https://127.0.0.1/&output_image=1 \nhttps://<ip>/forensics/graphs.php?chart=SplFileObject&SplFileObject=https://127.0.0.1/&output_image=1 \nhttps://<ip>/forensics/graphs.php?chart=SplFileObject&SplFileObject=php://filter/read=string.toupper/resource=https://127.0.0.1/&output_image=1 \n \nUsing the same PHP wrappers it is also possible to load arbitrary Phar \n[15] files from the local machine. A known attack [12] (by Sam Thomas \n[16]) exists where an attacker can trigger PHP objects to be \ndeserialized when a Phar file is loaded. Although code execution through \ndeserialization is possible in the Forensics application, exploiting \nthis issue is not that trivial. In particular, the attack can only be \nexecuted from an object with a __wakeup() or __destruct() PHP magic \nmethod [17]. The classes in scope of the vulnerable page don't appear to \nhave suitable magic methods that could be used to execute an exploit \n(POP) chain. \n \nBesides finding a suitable magic method, exploiting the Phar wrapper \nalso requires that the attacker can place a Phar file on the target \nsystems as Phar files can't be loaded from remote locations. It was \nfound that the case upload functionality allows uploading of files to a \nknown location. However, since the graph page also contains a local file \ninclusion vulnerability, it makes more sense to target that \nvulnerability instead. \n \nThe vulnerable code is executed in case the output_image request \nparameter isn't present or is set to false. In this case the requested \nclass name is provided in the dataset request parameter. If this class \nisn't (yet) in scope of the PHP page, an attempt is made to load it. \nThis is done by iterating though a list of predefined folder names, if a \nfile exists with the same name of the requested class, it will be \nincluded after another which check is done to see if the class is in \nscope. \n \n/opt/ibm/forensics/html/graphs.php: \n$haveDataClass = class_exists($dataClass); \nif(!$haveDataClass) { \nforeach(array('', $DEJAVU_URL. 'Reports/','reports/') as $path) { \n$module = $path . $dataClass . \".php\"; \nif(file_exists($module)) { \ntry { \nrequire_once($module); \n$haveDataClass = class_exists($dataClass); \nif($haveDataClass) \nbreak; \n} catch (Exception $e) { \n// Do nothing \n$msg = $e->getMessage(); \n} \n} \n} \n \nAs no validation is done on the class name, it is possible to include \nfiles outside of these folder using path traversal. However this isn't \nreally needed as the first folder that is searched is empty, thus \nallowing for absolute path names. In addition, it is also possible to \nprovide URL type paths. The call to file_exists() will block most PHP \nwrappers. Some built-in wrappers will pass through the file_exists() \ncall, including the ftp:// [18] and ssh2.sftp:// [19] wrappers. In \ntheory, it should be able to include a file over (S)FTP were it not that \nincluding files from remote locations has been disabled in the PHP \nconfiguration. \n \n/etc/php.ini: \n; http://php.net/allow-url-include \nallow_url_include = Off \n \nBecause it is possible to upload arbitrary files via the case upload \nfunctionality, it is not that difficult to run arbitrary PHP code \nregardless of these restrictions. Although other methods also exists, we \ncan just upload a PHP file to a known location and abuse this local file \ninclusion vulnerability to execute the uploaded file. \n \n------------------------------------------------------------------------ \nReferences \n------------------------------------------------------------------------ \n[1] https://www.securify.nl/advisory/SFY20200407/arbitrary-class-instantiation-_-local-file-inclusion-vulnerability-in-qradar-forensics-web-application.html \n[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4272 \n[3] https://www.ibm.com/support/pages/node/6189645 \n[4] https://developer.ibm.com/qradar/ce/ \n[5] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http \n[6] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http \n[7] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http \n[8] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http \n[9] https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http \n[10] https://www.ibm.com/security/security-intelligence/qradar \n[11] https://en.wikipedia.org/wiki/Security_information_and_event_management \n[12] https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf \n[13] https://www.php.net/manual/en/wrappers.php \n[14] https://www.php.net/manual/en/splfileobject.construct.php \n[15] https://www.php.net/manual/en/book.phar.php \n[16] https://twitter.com/_s_n_t \n[17] https://www.php.net/manual/en/language.oop5.magic.php \n[18] https://www.php.net/manual/en/wrappers.ftp.php \n[19] https://www.php.net/manual/en/wrappers.ssh2.php \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/157337/qradar7316-lfiinstant.txt", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2022-09-26T13:49:32", "description": "## Summary\n\nIBM QRadar SIEM is vulnerable to vulnerable to instantiation of arbitrary objects based on user-supplied input.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-4272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4272>) \n** DESCRIPTION: **IBM QRadar could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server. \nCVSS Base score: 5.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/175898](<https://exchange.xforce.ibmcloud.com/vulnerabilities/175898>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar 7.3.0 to 7.3.3 Patch 2\n\n \n\n\n## Remediation/Fixes\n\n[\u00b7 QRadar / QRM / QVM / QNI 7.4.0 GA](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QRSIEM-20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"QRadar / QRM / QVM / QNI 7.4.0 GA\" ) (SFS) \n\u00b7 [QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.3-QRADAR-QRSIEM-20200409085709&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"QRadar / QRM / QVM / QRIF / QNI 7.3.3 Patch 3\" ) (SFS) \n\u00b7 [QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.2-QRADAR-QRSIEM-20200406171249&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"QRadar / QRM / QVM / QRIF / QNI 7.3.2 Patch 7\" )(SFS) \n\u00b7 [QRadar Incident Forensics 7.4.0](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFFULL-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"QRadar Incident Forensics 7.4.0\" ) (ISO) \n\u00b7 [QRadar Incident Forensics 7.4.0](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+Incident+Forensics&release=7.4.0&platform=Linux&function=fixId&fixids=7.4.0-QRADAR-QIFSFS-2019.18.0.20200304205308&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"QRadar Incident Forensics 7.4.0\" ) (SFS) \n\n**NOTE**: Administrators with QRadar Incident Forensics should be aware that a new ISO and SFS file are published to IBM Fix Central for QRadar Incident Forensics 7.4.0 versions\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Acknowledgement\n\nThe vulnerability was reported to IBM by Yorick Koster\n\n## Change History\n\n06 Apr 2020: Initial Publication\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Document Location\n\nWorldwide\n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSBQAC\",\"label\":\"IBM Security QRadar SIEM\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF016\",\"label\":\"Linux\"}],\"Version\":\"7.3, 7.4\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-14T14:28:33", "type": "ibm", "title": "Security Bulletin: IBM QRadar SIEM is vulnerable to instantiation of arbitrary objects (CVE-2020-4272)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4272"], "modified": "2020-04-14T14:28:33", "id": "5C14A161DB516BA7ABE4D2925413426D89D3C1F53BC53F593F189104615C4F83", "href": "https://www.ibm.com/support/pages/node/6189645", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}]}
CVE-2020-4272
