Unauthenticated Access to read/write file system through IBIGraphServlet, UDDI and Webconsole
Article ID: KB0070250
Updated On:
| Products | Versions |
|---|---|
| ibi WebFOCUS | WebFOCUS Version 9.2.2 and older |
Description
The reported vulnerability on the 8206.33 release of WebFOCUS where IBIGraphServlet can write on any WebFOCUS application has been addressed.
E.g., the following files could be potentially read by un-authorized user:
https://*****.com/ibi_apps/IBIGraphServlet
https://*****.com/ibi_apps/uddi/*
https://*****.com/ibi_apps/webconsole/*
E.g., the following files could be potentially read by un-authorized user:
https://*****.com/ibi_apps/IBIGraphServlet
https://*****.com/ibi_apps/uddi/*
https://*****.com/ibi_apps/webconsole/*
Issue/Introduction
The vulnerability was discovered during pen-test while accessing IBIGraphServlet to create files.
Resolution
The fix is applied with WebFOCUS version 9.2.3 and higher versions. To resolve this issue, upgrade WebFOCUS to 9.2.3 or higher version.
Below are the details of this fix.
In previous versions of WebFOCUS, IBIGraphServlet could write to any of the WebFOCUS applications. This issue was resolved by granting write permissions only to the WebFOCUS temp directory.
Starting with version 9.2.3 and later, the following will occur to mitigate an incident.
1. UDDI Soap requests will get a 403 Access Denied, removing the ability to read or access the local file system.
2. IBIGraphServlet can only write to the WebFOCUS temp directory.
The following error message will be written to the log in an attempt to write to other than temp directory:
ERROR qtp1823688251-29 - Failed to create the path relative to [ ... ]
3. This has been resolved in versions starting from 9.2.3: Web Console Server-Side Injection > Remote Code Execution (RCE).
Optionally, if needed, to mitigate the vulnerability, set OPSYSCMD=OFF in edasprof.prf for all users other than administrators.
4. This has been resolved in versions starting from 9.2.3: IBIController - Server-Side Injection > Remote Code Execution (RCE).
An attempt to deserialize code when IBIController gets called is now disabled. This can be mitigated also by enabling security settings; please see Note below.
#Note :
Ensure security settings are enabled:
Below are the details of this fix.
In previous versions of WebFOCUS, IBIGraphServlet could write to any of the WebFOCUS applications. This issue was resolved by granting write permissions only to the WebFOCUS temp directory.
Starting with version 9.2.3 and later, the following will occur to mitigate an incident.
1. UDDI Soap requests will get a 403 Access Denied, removing the ability to read or access the local file system.
2. IBIGraphServlet can only write to the WebFOCUS temp directory.
The following error message will be written to the log in an attempt to write to other than temp directory:
ERROR qtp1823688251-29 - Failed to create the path relative to [ ... ]
3. This has been resolved in versions starting from 9.2.3: Web Console Server-Side Injection > Remote Code Execution (RCE).
Optionally, if needed, to mitigate the vulnerability, set OPSYSCMD=OFF in edasprof.prf for all users other than administrators.
4. This has been resolved in versions starting from 9.2.3: IBIController - Server-Side Injection > Remote Code Execution (RCE).
An attempt to deserialize code when IBIController gets called is now disabled. This can be mitigated also by enabling security settings; please see Note below.
#Note :
Ensure security settings are enabled:
- Cross site request forgery Protection (CSRF)
- Validation set to default enforcement and log.
Feedback
Yes
No
Powered by
