IBM has issued patches for multiple vulnerabilities in its webMethods Integration Server, that could allow authenticated users to execute arbitrary commands, escalate privileges, and access sensitive files.
Vulnerabilities details
- CVE-2024-45076 with a CVSS score of 9.9 is a high-severity flaw enabling authenticated users to upload and execute malicious files on the underlying operating system. This vulnerability grants attackers’ significant control over the server, potentially leading to data breaches, service disruptions, or even complete system compromise.
- CVE-2024-45075 with a CVSS score of 8.8 that allows authenticated users to create scheduler tasks without proper authentication, leading to privilege escalation. Attackers could exploit this flaw to gain administrative access, further amplifying their control over the system.
- CVE-2024-45074 with a CVSS score of 6.5 is a vulnerability permits authenticated users to traverse directories, potentially accessing sensitive files outside their intended scope. While not as severe as the previous flaws, this vulnerability could still lead to unauthorized data exposure.
Advertisements
Organizations running IBM webMethods Integration version 10.15 are strongly urged to apply the recommended fixes immediately. The potential impact of these vulnerabilities is significant, making prompt action crucial to safeguard your systems and data.
IBM has released Corefix 14 for Integration Server to address these vulnerabilities. Users are advised to download and install this fix using Update Manager as soon as possible.
