Security Bulletin: Remote code execution possible due to insecure REST endpoint (CVE-2016-8938)

Summary IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host customer's production applications. Vulnerability Details CVEID: CVE-2016-8938 DESCRIPTION:...

Security Bulletin: Multiple UCD REST endpoints allow unauthorized users to view data (CVE-2016-0373)

Summary IBM UrbanCode Deploy could allow an authenticated user to read sensitive information due to UCD REST endpoints not properly authorizing users when determining who can read data. Vulnerability Details CVEID: CVE-2016-0373 DESCRIPTION: IBM UrbanCode Deploy could allow an authenticated user ...

Security Bulletin: REST endpoints do not properly authorize, allowing users to modify data with insufficient permissions (CVE-2016-0320)

Summary IBM UrbanCode Deploy could allow an authenticated user to modify Ucd objects due to multiple REST endpoints not properly authorizing users editing UCD objects. This could affect the behavior of legitimately triggered processes. Vulnerability Details CVEID: CVE-2016-0320 DESCRIPTION: IBM...

Security Bulletin: API and CLI getResource expose secured role properties (CVE-2016-6068)

Summary IBM UrbanCode Deploy could allow an authenticated user with access to the REST endpoints to access API and CLI getResource secured role properties. Vulnerability Details CVEID: CVE-2016-6068 DESCRIPTION: IBM UrbanCode Deploy could allow an authenticated user with access to the REST...

Security Bulletin: Pre-processing and post-processing scripts can access the entire domain model of server or agent (CVE-2016-2942)

Summary IBM UrbanCode Deploy could allow an authenticated attacker with special permissions to craft a script on the server in a way that will cause processes to run on a remote UCD agent machine. Vulnerability Details CVEID: CVE-2016-2942 DESCRIPTION: IBM UrbanCode Deploy could allow an...

Security Bulletin: Properties with special characters in IBM UrbanCode Deploy might not be obfuscated correctly (CVE-2016-0364)

Summary Secure properties in IBM UrbanCode Deploy that contain certain special characters are not obfuscated correctly in the step output logs of steps that use the properties. Vulnerability Details CVEID: CVE-2016-0364 DESCRIPTION: IBM UrbanCode Deploy could allow an authenticated user with...

Security Bulletin: Relays do not properly authenticate agents attempting to download artifacts (CVE-2016-0365)

Summary When using Codestation caching of artifacts on agent relays, agents can download artifacts without properly authenticating. Vulnerability Details CVEID: CVE-2016-0365 DESCRIPTION: IBM UrbanCode Deploy could allow an attacker with special knowledge of the system to download artifacts witho...

Security Bulletin: Secure Properties in IBM UrbanCode Deploy Vulnerable (CVE-2016-0267)

Summary Certain secure properties in IBM UrbanCode Deploy can be obtained by an authenticated user from the server UI. Also, certain secure properties can be obtained in plain text from the IBM UrbanCode Deploy database by a user who has read permission to the database. Vulnerability Details CVEI...

Security Bulletin: IBM UrbanCode Deploy Agents Don't Verify Server Identity (CVE-2016-0271)

Summary Mutual authentication in IBM UrbanCode Deploy ensures that unknown agents cannot connect to the server over JMS. However, if a trusted agent is compromised, it can impersonate the server and send work to other agents. Agents do not verify the identity of the server over either HTTP or JMS...

Security Bulletin: Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Deploy (CVE-2015-5345, CVE-2015-5346, CVE-2015-5351)

Summary Multiple vulnerabilities in Apache Tomcat affect IBM UrbanCode Deploy. Vulnerability Details CVEID: CVE-2015-5345 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error when accessing a protected directory. By redirecting to the URL, a...

Security Bulletin: Multiple XSS Vulnerabilities in IBM UrbanCode Deploy (CVE-2015-7415)

Summary Multiple persistent XSS vulnerabilites were discovered in IBM UrbanCode Deploy. Vulnerability Details CVE ID: CVE-2015-7415 Description: IBM UrbanCode Deploy is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this...

Security Bulletin: Exposed Authentication Token in IBM UrbanCode Deploy (CVE-2015-4964)

Summary In previous versions of IBM UrbanCode Deploy, the authentication token is displayed in the execution logs. In certain steps that are run using the admin user permissions, this can allow non-administrator users to impersonate the admin user. In other processes, this can allow other users t...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns (CVE-2015-2590, CVE-2015-4733, CVE-2015-4748, CVE-2015-2621, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931)

Summary There are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Versions 1.7.0 and 1.7.1 that are used by IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns. These issues were disclosed as part of the IBM Java SDK updates in July 2015. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns

Summary There are multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Versions 1.7.0 and 1.7.1 that are used by IBM UrbanCode Deploy and IBM UrbanCode Deploy with Patterns. These issues were disclosed as part of the IBM Java SDK updates in July 2015. Vulnerability Details...

Security Bulletin: Vulnerability in DHE key exchange algorithm affects IBM UrbanCode Deploy (CVE-2015-4000)

Summary SSL cipher suites using non-Elliptic Curve Diffie-Hellman key exchange algorithms with key sizes of less than 1024 are vulnerable to man in the middle attacks. Previous versions of the IBM UrbanCode Deploy server left these cipher suites enabled. Vulnerability Details CVE ID: CVE-2015-400...

Security Bulletin: Vulnerability in Apache Tomcat affects IBM UrbanCode Deploy (CVE-2014-0227)

Summary Previous releases of IBM UrbanCode Deploy are affected by a HTTP request smuggling vulnerability in Apache Tomcat. Vulnerability Details CVE ID: CVE-2014-0227 Description: Apache Tomcat is vulnerable to HTTP request smuggling. A remote attacker could send a specially-crafted request in a...

Security Bulletin: Vulnerability in SSLv3 affects IBM UrbanCode Deploy (CVE-2014-3566)

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in IBM UrbanCode Deploy. Vulnerability Details | Subscribe to My Notifications to be notified of important product support alerts like this. Follo...

Security Bulletin: Exposed Keystores in IBM UrbanCode Deploy

Summary The 6.1.0.2 release of IBM UrbanCode Deploy may expose secret keystores to a user with access to the correct page. Vulnerability Details | Subscribe to My Notifications to be notified of important product support alerts like this. Follow this link for more information requires login with...

Security Bulletin: Apache Tomcat Vulnerabilities in IBM UrbanCode Deploy (CVE-2014-0075,CVE-2014-0095,CVE-2014-0096,CVE-2014-0099,CVE-2014-0119)

Summary Previous releases of IBM UrbanCode Deploy are affected by vulnerabilities in Apache Tomcat that may allow remote attackers to influence the availability of the server or obtain sensitive information. Vulnerability Details | Subscribe to My Notifications to be notified of important product...

Security Bulletin: Apache Tomcat and FileUpload Vulnerabilities in IBM UrbanCode Deploy (CVE-2014-0050, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590)

Summary Previous releases of IBM UrbanCode Deploy are affected by vulnerabilities in Apache Tomcat and FileUpload that may allow remote attackers to influence the availability of the server or obtain sensitive information. Vulnerability Details | Subscribe to My Notifications to be notified of...