SB2018122406 - Multiple vulnerabilities in IBM API Connect

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Privilege escalation (CVE-ID: CVE-2018-1973)

The vulnerability allows a remote attacker to gain elevated privileges on the target system.

The vulnerability exists due to unspecified flaw. A remote attacker with limited 'API Administrator' level access and gain full 'Administrator' level access through the members functionality.

2) Authentication bypass (CVE-ID: CVE-2018-1778)

The vulnerability allows a remote attacker to bypass authenticated on the target system.

The vulnerability exists due to an error if the AccessToken Model is exposed over a REST API. A remote attacker can bypass authentication to create an AccessToken for any User provided they know the userID and hence get access to the other users data / access to their privileges (if the user happens to be an Admin for example).

3) Privilege escalation (CVE-ID: CVE-2018-1784)

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target system.

The vulnerability exists due to a NoSQL injection in MongoDB connector for the LoopBack framework. A remote attacker can gain elevated privileges and gain read/modify access to arbitrary data.

Remediation

Install update from vendor's website.

References

• https://www-01.ibm.com/support/docview.wss?uid=ibm10788339
• https://www-01.ibm.com/support/docview.wss?uid=ibm10733883
• https://www-01.ibm.com/support/docview.wss?uid=ibm10737883