BID:69547

IBM Business Process Manager and WebSphere CVE-2014-3075 Arbitrary File Upload Vulnerability

Info

IBM Business Process Manager and WebSphere CVE-2014-3075 Arbitrary File Upload Vulnerability

Bugtraq ID:	69547
Class:	Input Validation Error
CVE:	CVE-2014-3075
Remote:	Yes
Local:	No
Published:	Aug 29 2014 12:00AM
Updated:	Aug 29 2014 12:00AM
Credit:	IBM
Vulnerable:	IBM WebSphere Lombardi Edition 7.2.0 IBM Business Process Manager Standard 8.5.5 IBM Business Process Manager Standard 8.5.0.1 IBM Business Process Manager Standard 8.5.0 IBM Business Process Manager Standard 8.0 IBM Business Process Manager Standard 7.5.0 IBM Business Process Manager Express 8.5.5 IBM Business Process Manager Express 8.5.0.1 IBM Business Process Manager Express 8.5.0 IBM Business Process Manager Express 8.0.0 IBM Business Process Manager Express 7.5.0 IBM Business Process Manager Advanced 8.5.5 IBM Business Process Manager Advanced 8.5 IBM Business Process Manager Advanced 8.5.0.1 IBM Business Process Manager Advanced 8.0.1.2 IBM Business Process Manager Advanced 8.0.1.1 IBM Business Process Manager Advanced 8.0 IBM Business Process Manager Advanced 7.5.1.2 IBM Business Process Manager Advanced 7.5.1.1 IBM Business Process Manager Advanced 7.5.0

Not Vulnerable:

Discussion

IBM Business Process Manager and WebSphere CVE-2014-3075 Arbitrary File Upload Vulnerability

IBM Business Process Manager and WebSphere are prone to an arbitrary file-upload vulnerability because they fail to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and execute it in the context of the web server process.

Exploit / POC

IBM Business Process Manager and WebSphere CVE-2014-3075 Arbitrary File Upload Vulnerability

An attacker can exploit the issue using a browser.

Solution / Fix

IBM Business Process Manager and WebSphere CVE-2014-3075 Arbitrary File Upload Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

IBM Business Process Manager and WebSphere CVE-2014-3075 Arbitrary File Upload Vulnerability

References: