IBM’s webMethods Integration Server has been identified to have several severe vulnerabilities, which pose significant threats to organizations that rely on this platform for integration and API management. In version 10.15 of the software, multiple vulnerabilities have been discovered, with one of the most critical being CVE-2024-45076, which has been classified as highly critical with a CVSS base score of 9.9.
This particular vulnerability allows authenticated users to upload and execute arbitrary files on the operating system, posing a serious risk due to its low complexity of exploitation and minimal user interaction required. In addition to CVE-2024-45076, two other vulnerabilities have been identified within the IBM webMethods Integration Server. CVE-2024-45075, with a CVSS base score of 8.8, enables authenticated users to escalate their privileges to the administrator level by exploiting missing authentication controls in the scheduler tasks. Similarly, CVE-2024-45074, with a CVSS base score of 6.5, allows authenticated users to traverse directories on the server through specially crafted URL requests containing “/../”, potentially leading to unauthorized access to sensitive files.
Organizations using IBM webMethods Integration Server version 10.15 are strongly advised to address these vulnerabilities promptly to secure their systems. IBM has recommended that affected users apply the necessary fixes immediately, with Corefix 14 for Integration Server available through the Update Manager. Detailed instructions for applying the fix include various steps such as opening the Update Manager application in online mode, viewing fixes from Empower, and reviewing available fixes for the product.
As of now, no workarounds or mitigations are available for these vulnerabilities, underscoring the importance of users implementing the provided fix to mitigate associated risks effectively. IBM has published a security bulletin outlining these vulnerabilities and urges users to subscribe to My Notifications for critical product support alerts to stay informed about essential security updates and address potential risks.
The vulnerabilities within IBM webMethods Integration Server were reported to IBM by Matthew Galligan from CISA, with ongoing updates and additional information available through the IBM Secure Engineering Web Portal and the IBM Product Security Incident Response Blog. The initial publication of the security bulletin was on September 4, 2024, prompting users to regularly check the CVSS v3 Guide and related resources to evaluate the impacts of these vulnerabilities within their specific environments.
The disclosure of these vulnerabilities emphasizes the critical need for immediate action to protect systems from potential exploitation. Organizations are strongly encouraged to apply the necessary fixes and stay informed through official IBM channels to safeguard their infrastructure against these threats.