CVE-2024-45076 (CVSS 9.9): Critical Flaw in IBM webMethods Integration Demand Immediate Action
IBM has issued a critical security advisory for its webMethods Integration Server, revealing multiple vulnerabilities that could allow authenticated users to execute arbitrary commands, escalate privileges, and access sensitive files. The vulnerabilities, affecting version 10.15 of the software, pose a significant risk, with one vulnerability receiving a CVSS score of 9.9.
Vulnerabilities Explained:
- CVE-2024-45076 (CVSS 9.9): A high-severity flaw enabling authenticated users to upload and execute malicious files on the underlying operating system. This vulnerability grants attackers significant control over the server, potentially leading to data breaches, service disruptions, or even complete system compromise.
- CVE-2024-45075 (CVSS 8.8): Another critical issue allows authenticated users to create scheduler tasks without proper authentication, leading to privilege escalation. Attackers could exploit this flaw to gain administrative access, further amplifying their control over the system.
- CVE-2024-45074 (CVSS 6.5): A medium-severity vulnerability permits authenticated users to traverse directories, potentially accessing sensitive files outside their intended scope. While not as severe as the previous flaws, this vulnerability could still lead to unauthorized data exposure.
Affected Users:
Organizations running IBM webMethods Integration version 10.15 are strongly urged to apply the recommended fixes immediately. The potential impact of these vulnerabilities is significant, making prompt action crucial to safeguard your systems and data.
Remediation:
IBM has released Corefix 14 for Integration Server to address these vulnerabilities. Users are advised to download and install this fix using Update Manager as soon as possible. Delaying remediation could leave your systems exposed to serious security risks.
