Security Bulletin: Path Traversal exposure in the Save/Export function of the FTM OAC

2019-07-1113:05:02

www.ibm.com

0.001 Low

EPSS

Percentile

45.3%

JSON

Summary

The “Save/Export” function available on all search result displays (tabulated results) is potentially vulnerable to a Path Traversal type attack.

Vulnerability Details

CVEID: CVE-2018-1847 DESCRIPTION: IBM Financial Transaction Manager (FTM) for Multi-Platform (MP) could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/150946> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

Principal Product and Version(s)

Financial Transaction Manager for MP v2.0.0.0 through 2.0.0.5
Financial Transaction Manager for MP v2.1.0.0 through 2.1.0.4
Financial Transaction Manager for MP v2.1.1.0 through 2.1.1.4
Financial Transaction Manager for MP v3.0.0.0 through 3.0.0.8
Financial Transaction Manager for MP v3.2.0 and Financial Transaction Manager for MP v3.2.2 are not affected.

Remediation/Fixes

Customers are advised to download the latest version of Financial Transaction Manager from fixcentral (<https://www.ibm.com/support/home/>) to obtain the very latest version of the OAC (Web UI).

The OAC from the latest versions of the product is supported against the latest fixpack levels of each of the affected Financial Transaction Manager releases (2.0.0.5, 2.1.0.4, 2.1.1.4 and 3.0.0.9).

Customers using Financial Transaction Manager for MP v3.0.0.x may prefer to upgrade to Financial Transaction Manager for MP v3.0.0.9.

Principal Product and Version(s)

| APAR | Remediation/First Fix
—|—|—
Financial Transaction Manager for MP v2.0.0.0 through 2.0.0.5 | PI88510 | 3.2.2.0-FTM-MP-iFix0002
Financial Transaction Manager for MP v2.1.0.0 through 2.1.0.4 | PI88510 | 3.2.2.0-FTM-MP-iFix0002
Financial Transaction Manager for MP v2.1.1.0 through 2.1.1.4 | PI88510 | 3.2.2.0-FTM-MP-iFix0002
Financial Transaction Manager for MP v3.0.0.0 through 3.0.0.8 | PI88510 | 3.0.0-FTM-MP-fp0009

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm financial transaction managereq2.0
ibm financial transaction managereq2.0.0.0
ibm financial transaction managereq2.0.0.1
ibm financial transaction managereq2.0.0.2
ibm financial transaction managereq2.0.0.3
ibm financial transaction managereq2.0.0.4
ibm financial transaction managereq2.0.0.5
ibm financial transaction managereq2.1
ibm financial transaction managereq2.1.0
ibm financial transaction managereq2.1.0.0

Name	Operator	Version
ibm financial transaction manager	eq	2.0
ibm financial transaction manager	eq	2.0.0.0
ibm financial transaction manager	eq	2.0.0.1
ibm financial transaction manager	eq	2.0.0.2
ibm financial transaction manager	eq	2.0.0.3
ibm financial transaction manager	eq	2.0.0.4
ibm financial transaction manager	eq	2.0.0.5
ibm financial transaction manager	eq	2.1
ibm financial transaction manager	eq	2.1.0
ibm financial transaction manager	eq	2.1.0.0

Rows per page:

1-10 of 301

0.001 Low

EPSS

Percentile

45.3%

JSON

Related for 0E437E7B729E3DA0581218716E5361A3684472811DB69C2616BBF06263FC4ACD