IBM reports flaws in webMethods Integration Server, one critical

BM has disclosed several severe vulnerabilities within its webMethods Integration Server, a platform widely used for integration and API management.

Vulnerability details:

• CVE-2024-45076 (CVSS score 9.9) - allows an authenticated user to upload and execute arbitrary files on the underlying operating system. The vulnerability is particularly dangerous due to its low exploitation complexity and minimal user interaction required, making it highly critical for organizations relying on the affected version of webMethods Integration Server.

• CVE-2024-45075 (CVSS score 8.8) -  permits an authenticated user to escalate their privileges to the administrator level. The flaw is caused by missing authentication controls in the scheduler tasks, allowing unauthorized privilege escalation.

• CVE-2024-45074 (CVSS score 6.5) - aAn authenticated user can exploit this vulnerability by using specially crafted URL requests containing "dot dot" sequences (/../) to traverse directories on the server. This could lead to unauthorized access to sensitive files.

IBM webMethods Integration Server version 10.15 is impacted by these vulnerabilities.

IBM strongly recommends that organizations using the affected version apply the necessary fixes immediately. The following steps can be taken to apply the fix:

1. Open the Update Manager application in online mode, using either the command line or graphical interface, as outlined in the Connecting to Empower guide.
2. Navigate to "View Fixes" and select "View Fixes from Empower."
3. Choose a product directory to display all available fixes, or enter a test patch key to locate a specific support patch.
4. If desired, leave the product directory field unselected to see the latest fixes for all products licensed from Software AG.
5. Optionally, specify a script location for Update Manager to execute, which will check for fixes on Empower.
6. Review the available fixes, including the contents and readme for each item.

Corefix 14 for the Integration Server is available through the Update Manager and should be applied as soon as possible.

Currently, there are no available workarounds or mitigations for these vulnerabilities. Organizations must implement the provided fix immediately to mitigate the risks.