IBM5406D8E7A6BF4F96D5F47127C0F4A6D66B7901B554C441A5B91219817B7251F7Security Bulletin: IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667]
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.654 Medium
EPSS
Percentile
97.9%
Summary
IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521]. IBM Security Verify Governance is vulnerable to remote attacks caused by an error related to the handling of deserialization [CVE-2013-2165]. IBM Security Verify Governance is vulnerable to remote attacks caused by an Expression Language (EL) injection flaw using the UserResource resource [CVE-2018-14667].
Vulnerability Details
CVEID:CVE-2013-4521
**DESCRIPTION:**Nuxeo Platform could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the classes for which deserialization methods can be called. A remote attackers could exploit this vulnerability using specially crafted serialized data to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177062 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2013-2165
**DESCRIPTION:**JBoss RichFaces could allow a remote attacker to execute arbitrary code on the system, caused by an error related to the handling of deserialization. An attacker could exploit this vulnerability to trigger the execution of the deserialization methods in any serializable class and execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/85630 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID:CVE-2018-14667
**DESCRIPTION:**Red Hat JBoss could allow a remote attacker to execute arbitrary code on the system, caused by an Expression Language (EL) injection flaw using the UserResource resource. By sending a specially-crafted java serialized object org.ajax4jsf.resource.UserResource$UriData expression, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/152665 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Security Verify Governance | 10.0 |
Remediation/Fixes
IBM encourages customers to upgrade their systems promptly.
Affected Product(s)
|
Version(s)
|
First Fix
β|β|β
IBM Security Verify Governance
|
10.0.1
|
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm security verify governance | eq | 10.0 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.654 Medium
EPSS
Percentile
97.9%