Critical vulnerabilities in IBM Websphere, Security Access Manager & MQ Appliance let anybody take control of your network

IBM network security specialists have disclosed the detection and correction of multiple vulnerabilities in various products. According to these security reports, exploiting these flaws would allow threat actors to take full control of the compromised network, so it is necessary to update as soon as possible.

The first security issue encountered is a XML External Entity Injection (XXE) vulnerability in IMB Security Access Manager v9.0.7.1. The vulnerability, tracked as CVE-2019-4707, is triggered when processing XML data; a remote attacker could exploit the flaw to expose sensitive information or exhaust the target system memory. The flaw received a score of 7/10 on the Common Vulnerability Scoring System (CVSS) scale.

No workarounds are known so far, so it is recommended that admins deploy the IBM update to mitigate the risk of exploiting this vulnerability.

The following report relates to the correction of two vulnerabilities in HTTP/2. Some HTTP/2 implementations are vulnerable to resource loops, which could lead to a denial of service (DoS) condition. Threat actors create multiple request flows to generate changes in the priority tree, consuming CPU resources. The first of these flaws was identified as CVE-2019-9513 and received a score of 7.5/10 on the CVSS scale, network security experts mention.

On the other hand, CVE-2019-9511 is a flaw that allows hackers to manipulate the window size and transmission priority to force the server to queue the data in 1-byte chunks. Depending on the efficiency of this process, an excess of memory consumption, CPU consumption, or even both will occur.

Finally, a vulnerability was reported in WebSphere Application Server ND, which is included with IBM Security Identity Manager. According to network security experts from the International Institute of Cyber Security (IICS), exploitation would allow attackers to access sensitive information due to sending a specially designed URL. The fault received a score of 3.5/10.

IBM addressed reported vulnerabilities as soon as possible, so administrators should only install official fixes on potentially compromised systems. For more details, please refer to the official website of the company.