IBM Maximo Asset Management is vulnerable to server side request forgery (SSRF)
CVEID:CVE-2020-4529
**DESCRIPTION:**IBM Maximo Asset Management is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182713 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
This vulnerability affects the following versions of the IBM Maximo Asset Management core product. Older versions of Maximo Asset Management may be impacted. The recommended action is to update to the latest version.
Maximo Asset Management core product versions affected:
Affected Product(s) | Version(s) |
---|---|
IBM Maximo Asset Management | 7.6.0 |
IBM Maximo Asset Management | 7.6.1 |
Industry Solutions products affected if using an affected core version:
Maximo for Aviation
Maximo for Life Sciences
Maximo for Nuclear Power
Maximo for Oil and Gas
Maximo for Transportation
Maximo for Utilities
IBM Control Desk products affected if using an affected core version:
SmartCloud Control Desk
IBM Control Desk
Tivoli Integration Composer
Since IBM Maximo Asset Management version 7.6.0.4, we added the feature of non-applet printing, and a property where applet printing is disabled by default. To remediate this vulnerability, do not use applet printing. To verify that applet printing is disabled, please follow the steps listed in the Workarounds/Mitigations section.
There is a configuration that can stop the usage of applets when performing direct print:
1. Log in to Maximo and go to System Properties
2. Filter for mxe.report.directprint.useapplet
3. Set the value for that property to 0
4. Do a Live Refresh of the property value