IBM has revealed several severe vulnerabilities within its webMethods Integration Server, a platform widely utilized for integration and API management. These IBM webMethods Integration vulnerabilities, discovered in version 10.15 of the software, present multiple threats to organizations relying on this system.
The most critical of these webMethods Integration vulnerabilities is identified as CVE-2024-45076. This vulnerability has been assigned an alarming CVSS base score of 9.9, categorizing it as highly critical.
The flaw allows an authenticated user to upload and execute arbitrary files on the underlying operating system. This high-risk vulnerability is particularly concerning due to its low complexity of exploitation and the minimal user interaction required.
Multiple IBM WebMethods Integration Vulnerabilities
Alongside CVE-2024-45076, two other vulnerabilities have been identified. CVE-2024-45075 has a CVSS base score of 8.8 and permits an authenticated user to escalate their privileges to the administrator level.
This is due to missing authentication controls in the scheduler tasks. Similarly, CVE-2024-45074, with a CVSS base score of 6.5, allows authenticated users to traverse directories on the server by exploiting specially crafted URL requests containing “dot dot” sequences (/../). This could lead to unauthorized access to sensitive files.
The vulnerabilities impact IBM webMethods Integration Server version 10.15. Organizations using this version are strongly advised to address these issues promptly to safeguard their systems.
IBM recommends that affected users apply the necessary fixes immediately. Corefix 14 for Integration Server is available through the Update Manager. Detailed instructions for applying the fix includes:
- Open the Update Manager application in online mode, using either the command line or graphical interface, as detailed in the Connecting to Empower guide.
- Go to “View Fixes” and select “View Fixes from Empower.”
- Choose a product directory to list all available fixes on Empower, or enter a test patch key to locate a specific support patch for the chosen product installation.
- To see the latest fixes for all products licensed from Software AG, leave the product directory field unselected.
- Optionally, specify a script location for Update Manager to run, which will check for fixes on Empower.
- Review the available fixes for the product, including the fix contents and readme for each item on the list.
As of now, no workarounds or mitigations are available, making it crucial for users to implement the provided fix to mitigate the risks associated with these vulnerabilities.
Change History
IBM has published the security bulletin detailing these vulnerabilities, and users are encouraged to subscribe to My Notifications for updates on critical product support alerts. This proactive approach can help organizations stay informed about essential security updates and address potential risks.
The vulnerabilities were reported to IBM by Matthew Galligan from CISA. For additional information and ongoing updates, refer to the IBM Secure Engineering Web Portal and the IBM Product Security Incident Response Blog.
The initial publication of the security bulletin was on September 4, 2024. Users are advised to regularly check the CVSS v3 Guide and related resources to evaluate the impact of these vulnerabilities within their specific environments.
The disclosed vulnerabilities in the IBM webMethods Integration Server highlight the critical need for immediate action to protect systems from potential exploitation. Organizations are urged to apply the necessary fixes and stay informed through official IBM channels to protect their infrastructure against these threats.
