IBM Engineering Test Management: Files in the system can be deleted via a gap

IBM Engineering Test Management: Files in the system can be deleted via a gap

IBM App Connect Enterprise, Integration Bus, Engineering Test Management and Tivoli Network Manager are vulnerable. Admins should promptly install the versions that are protected against possible attacks.

IBM Engineering Test Management is a management solution, for example for software deployment. Attackers could exploit three vulnerabilities (CVE-2022-26258 “high“, CVE-2022-26259 “high“, CVE-2022-29505 “high“). If attacks on a vulnerability in the XStream Java library are successful, remote attackers could execute their own commands due to insufficient checking of user input.

In addition, files in the system can be deleted. On the other hand, the following expenses are covered:

  • IBM Engineering Test Management 7.0.2 iFix008
  • IBM Engineering Test Management 7.0.1 iFix012
  • IBM Engineering Test Management 7.0 iFix013
  • Rational Quality Manager 6.0.6.1 iFix020
  • Rational Quality Manager 6.0.6 iFix024

With IBM Tivoli Network Manager one visualizes among other things the topology of networks. The application is vulnerable to four vulnerabilities. Of these, two are with the threat level “high” (CVE-2022-35516, CVE-2022-36090). If attackers foist a prepared TAR archive on victims, errors can occur when processing by the Apache Commons Compress compression library, which causes crashes (DoS).

The developers claim to have solved the problems in ITNM4.2 Fix Pack 15 (ie 4.2.0.15). The following builds are fixed:

  • 4.2.0-TIV-ITNMIP-Linux-FP0015
  • 4.2.0-TIV-ITNMIP-zLinux-FP0015
  • 4.2.0-TIV-ITNMIP-AIX-FP0015

With IBM App Connect Enterprise you transfer business information to multiple hardware and software platforms. IBM Integration Bus connects applications regardless of their message format or protocol. By sending a crafted request (CVE-2022-44906 “medium“) attackers could push malicious code onto systems and execute it.

IBM App Connect Enterprise Version v11 – Fix Pack 11.0.0.18 and IBM App Connect Enterprise Version v12 – Fix Pack 12.0.4.0 are protected against such attacks. IBM Integration Bus users must follow a workaround from an alert to protect systems.

Data Science: Apache SystemDS 3.0 gets a backend for multi-tenancy Previous post Data Science: Apache SystemDS 3.0 gets a backend for multi-tenancy
Update now!  Code smuggling possible through gap in OpenSSL Next post Update now! Code smuggling possible through gap in OpenSSL