A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. Affected versions of Avaya Control Manager include 7.x and 8.0.x versions prior to 8.0.4.0. Unsupported versions not listed here were not evaluated.

Avaya Control Manager SQL Injection (CVE-2019-7003)

Original Release Date: July 9, 2019  
Last Revised: July 10, 2019  
Number: ASA-2019-119  
Overall Severity Classification: Critical  
Advisory Version: 2.0  
Advisory Status: Final

**1\. Overview:**

Avaya Control Manager is an operational administration solution enabling administrators to control key administrative elements across both Avaya Oceana™ & Avaya Enterprise Cloud: xCaaS solution offerings, and Avaya based contact center & Avaya Aura unified communications environments.

A SQL injection vulnerability was found in the reporting component of Avaya Control Manager which could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2019-7003 to this issue.

Avaya would like to thank Ben Leonard-Lagarde (Modux) for reporting this issue.

**2\. Avaya Products affected:**

For assessment and severity classification details refer to Section 3 of Avaya's Product Vulnerability Response Policy.  
The "Resolution" column will be updated as fixes are made available. Please reference the "Information" column for any additional information regarding the affected product.

Product:

Version(s):

Resolution:

Information:

Avaya Control Manager

7.x, 8.0.0.0 through 8.0.3.0

Upgrade to 8.0.4.0 or later.

**Recommended Actions for Products:**  
Avaya strongly recommends following networking and security best practices by implementing firewalls, ACLs, physical security or other appropriate access restrictions. Though Avaya believes such restrictions should always be in place, risk to Avaya products and the surrounding network from this potential vulnerability may be mitigated by ensuring these practices are implemented until such time as an Avaya provided product update or the recommended Avaya action is applied. Further restrictions as deemed necessary based on the customer's security policies may be required during this interim period, but the System Product operating system or application should not be modified unless the change is approved by Avaya. Making changes that are not approved may void the Avaya product service contract.

**CVSS 3.0 Scoring and Metrics:**

Avaya uses the Common Vulnerability Scoring System version 3 (CVSSv3) base score and metrics as reported by the vendor for the affected component(s) or by the National Institute of Standards and Technology in the National Vulnerability Database. In some cases, such as where CVSS information is not available from the vendor or NIST, Avaya will calculate the CVSSv3 base score and metrics. Customers are encouraged to calculate the Temporal and Environmental CVSSv3 scores to determine how the vulnerability could affect their specific implementation or environment. For more information on CVSS and how the score is calculated, see Common Vulnerability Scoring System v3.0: Specification Document.

Vulnerability

CVSSv3 Base Score

CVSSv3 Metrics

CVE-2019-7003  

9.3 (Critical)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

**3\. Additional Information:**

Additional information may also be available via the Avaya support website and through your Avaya account representative. Please contact your Avaya product support representative, or dial 1-800-242-2121, with any questions.

**4\. Disclaimer:**

ALL INFORMATION IS BELIEVED TO BE CORRECT AT THE TIME OF PUBLICATION, IS PROVIDED "AS IS", AND IS APPLICABLE ONLY TO PRODUCT VERSIONS ELIGIBLE FOR MANUFACTURER SUPPORT IN ACCORDANCE WITH AVAYA PRODUCT LIFE CYCLE POLICY. AVAYA INC., ON BEHALF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES (HEREINAFTER COLLECTIVELY REFERRED TO AS "AVAYA"), DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND FURTHERMORE, AVAYA MAKES NO REPRESENTATIONS OR WARRANTIES THAT THE STEPS RECOMMENDED WILL ELIMINATE SECURITY OR VIRUS THREATS TO CUSTOMERS' SYSTEMS. IN NO EVENT SHALL AVAYA BE LIABLE FOR ANY DAMAGES WHATSOEVER ARISING OUT OF OR IN CONNECTION WITH THE INFORMATION OR RECOMMENDED ACTIONS PROVIDED HEREIN, INCLUDING DIRECT, INDIRECT, INCIDENTAL, STATUTORY, CONSEQUENTIAL DAMAGES, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF AVAYA HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

THE INFORMATION PROVIDED HERE DOES NOT AFFECT THE SUPPORT AGREEMENTS IN PLACE FOR AVAYA PRODUCTS. SUPPORT FOR AVAYA PRODUCTS CONTINUES TO BE EXECUTED AS PER EXISTING AGREEMENTS WITH AVAYA.

**5\. Revision History:**

V 1.0 - July 9, 2019 - Initial Statement issued.  
V 2.0 - July 10, 2019 - Updated reporter surname and finalized advisory.

Avaya customers or Business Partners should report any security issues found with Avaya products via the standard support process.  
Independent security researchers can contact Avaya at securityalerts@avaya.com.

© 2019 Avaya Inc. All Rights Reserved. All trademarks identifying Avaya products by the ® or ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners.

CVE-2019-7003: ASA-2019-119

DNN (aka DotNetNuke) 9.2 through 9.2.1 uses a weak encryption algorithm to protect input parameters.

CVE-2018-15811: Releases · dnnsoftware/Dnn.Platform

IBM Robotic Process Automation with Automation Anywhere 11 uses a high privileged PostgreSQL account for database access which could allow a local user to perform actions they should not have privileges to execute. IBM X-Force ID: 160764.

CVE-2019-4298: IBM Robotic Process Automation privilege escalation CVE-2019-4298 Vulnerability Report

Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

**Abstract**

These vulnerabilities allow remote attackers to execute arbitrary SQL commands and remote authenticated users to upload arbitrary files via a susceptible version of Photo Station.

**Affected Products**

Product

Severity

Fixed Release Availability

Photo Station 6.8

Important

Upgrade to 6.8.11-3489 or above.

Photo Station 6.3

Important

Upgrade to 6.3-2977 or above.

**Mitigation**

None

**Detail**

*   CVE-2019-11821
    
    *   Severity: Important
    *   CVSS3 Base Score: 7.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    *   SQL injection vulnerability in synophoto\_csPhotoDB.php in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to execute arbitrary SQL command via the type parameter.
*   CVE-2019-11822
    
    *   Severity: Moderate
    *   CVSS3 Base Score: 4.3
    *   CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    *   Relative path traversal vulnerability in SYNO.PhotoStation.File in Synology Photo Station before 6.8.11-3489 and before 6.3-2977 allows remote attackers to upload arbitrary files via the uploadphoto parameter.

**Acknowledgement**

Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

**Revision**

Revision

Date

Description

1

2019-01-02

Initial public release.

2

2019-06-30

Disclosed vulnerability details.

CVE-2019-11822: Synology_SA_19_01 | Synology Inc.

Integer overflow in SQLite via WebSQL in Google Chrome prior to 74.0.3729.131 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2019-5827

IBM PureApplication System 2.2.3.0 through 2.2.5.3 could allow an authenticated user with local access to bypass authentication and obtain administrative access. IBM X-Force ID: 159467.

**CVEID:** CVE-2016-5699  
**DESCRIPTION:** urllib2 and urllib for Python are vulnerable to HTTP header injection, caused by improper validation of input. By persuading a victim to visit a specially-crafted Web page, a remote attacker could exploit this vulnerability to inject arbitrary HTTP headers, which will allow the attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.  
CVSS Base Score: 6.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114200 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID**: CVE-2016-8858  
**DESCRIPTION**: OpenSSH is vulnerable to a denial of service, caused by an error in the kex\_input\_kexinit() function. By sending specially crafted data during the key exchange process, a remote attacker could exploit this vulnerability to consume all available memory resources.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118127 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:** CVE-2017-7525  
**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw within the Jackson JSON library in the readValue method of the ObjectMapper. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 9.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134639 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2017-15095  
**DESCRIPTION:** Jackson Library could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue() method of the ObjectMapper. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 9.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/135123 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2017-17485  
**DESCRIPTION:** Jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the default-typing feature. An attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 9.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/137340 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2018-7489  
**DESCRIPTION:** FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by a deserialization flaw in the readValue method of the ObjectMapper. By sending specially crafted JSON input, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 7.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/139549 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

**CVEID:** CVE-2018-14721  
**DESCRIPTION:** FasterXML jackson-databind is vulnerable to server-side request forgery, caused by the failure to block the axis2-jaxws class from polymorphic deserialization. A remote authenticated attacker could exploit this vulnerability to obtain sensitive data.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155136 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:** CVE-2018-19360  
**DESCRIPTION:** An unspecified error with failure to block the axis2-transport-jms class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155091 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2018-19361  
**DESCRIPTION:** An unspecified error with failure to block the openjpa class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155092 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2018-19362  
**DESCRIPTION:** An unspecified error with failure to block the jboss-common-core class from polymorphic deserialization in FasterXML jackson-databind has an unknown impact and attack vector.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155093 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2019-4224  
**DESCRIPTION:** IBM PureApplication System is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.  
CVSS Base Score: 6.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159240 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

**CVEID:** CVE-2019-4225  
**DESCRIPTION:** IBM PureApplication System stores potentially sensitive information in log files that could be read by a local user.  
CVSS Base Score: 4.4  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159242 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4234  
**DESCRIPTION:** IBM Pure Application System weakness in the implementation of locking feature in pattern editor. An attacker by intercepting the subsequent requests can bypass business logic to modify the pattern to unlocked state.  
CVSS Base Score: 4.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159416 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2019-4235  
**DESCRIPTION:** IBM Pure Application System does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.  
CVSS Base Score: 5.9  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159417 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4241  
**DESCRIPTION:** IBM Pure Application System could allow an authenticated user with local access to bypass authentication and obtain administrative access.  
CVSS Base Score: 8.4  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159467 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVE-2019-4241: Security Bulletin: Multiple vulnerabilities affect IBM PureApplication System

IBM Security Access Manager 9.0.1 through 9.0.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 158517.

  

**Summary**

Multiple Security vulnerabilities have been fixed in the 9.0.7 IBM Security Access Manager (ISAM) appliance.

**Vulnerability Details**

**CVEID:** CVE-2018-0732  
**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang.  
CVSS Base Score: 3.7  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144658 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:** CVE-2018-0739  
**DESCRIPTION:** OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory.  
CVSS Base Score: 5.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140847 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**CVEID:** CVE-2017-3735  
**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error while parsing an IPAdressFamily extension in an X.509 certificate. An attacker could exploit this vulnerability to trigger an out-of-bounds read, resulting in an incorrect text display of the certificate.  
CVSS Base Score: 4.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131047 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

**CVEID:** CVE-2019-4152  
**DESCRIPTION:** IBM Security Access Manager Appliance does not invalidate session tokens in a timely manner. The lack of proper session expiration may allow attackers with local access to login into a closed browser session.  
CVSS Base Score: 5.1  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158515 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:** CVE-2019-4151  
**DESCRIPTION:** IBM Security Access Manager Appliance uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base Score: 5.9  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158512 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4150  
**DESCRIPTION:** IBM Security Access Manager Appliance does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.  
CVSS Base Score: 3.7  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158510 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

**CVEID:** CVE-2019-4153  
**DESCRIPTION:** IBM Security Access Manager Appliance could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.  
CVSS Base Score: 6.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158517 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N)

**CVEID:** CVE-2019-4156  
**DESCRIPTION:** IBM Security Access Manager Appliance uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.  
CVSS Base Score: 5.9  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158572 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4157  
**DESCRIPTION:** IBM Security Access Manager Appliance is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  
CVSS Base Score: 6.1  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158573 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

**CVEID:** CVE-2019-4158  
**DESCRIPTION:** IBM Security Access Manager Appliance does not prove that a user's identity is correct which can lead to the exposure of resources or functionality to unintended actors.  
CVSS Base Score: 5.4  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158574 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

**CVEID:** CVE-2019-5953  
**DESCRIPTION:** GNU Wget is vulnerable to a buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.  
CVSS Base Score: 8.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159154 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2019-9636  
**DESCRIPTION:** Python urllib.parse.urlsplit and urllib.parse.urlparse components could allow a remote attacker to obtain sensitive information, caused by improper unicode encoding handling in NFKC normalization. By using a specially-crafted URL, an attacker could exploit this vulnerability to obtain sensitive information.  
CVSS Base Score: 7.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158114 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:** CVE-2019-4135  
**DESCRIPTION:** IBM Security Access Manager Appliance is affected by a security vulnerability that could allow authenticated users to impersonate other users.  
CVSS Base Score: 7.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158331 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2013-2197  
**DESCRIPTION:** Login Security module for Drupal is vulnerable to a denial of service caused by an error when the delay feature is configured. A remote attacker could exploit this vulnerability by frequent or concurrent failed attempts to login which can cause the application to crash.  
CVSS Base Score: 4.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85134 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

**CVEID:** CVE-2016-10542  
**DESCRIPTION:** Node.js ws module is vulnerable to a denial of service, caused by improper size limitation of payload. By sending a large payload, a remote attacker could exploit this vulnerability to cause the application to crash.  
CVSS Base Score: 7.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/149138 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:** CVE-2016-5725  
**DESCRIPTION:** JSch could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to the implementation for recursive sftp-get containing "dot dot" sequences (/../) to download the malicious files outside the client download base directory.  
CVSS Base Score: 4.3  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117122 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

**CVEID:** CVE-2018-16850  
**DESCRIPTION:** PostgreSQL is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to view, add, modify or delete information in the back-end database.  
CVSS Base Score: 6.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152915 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

**CVEID:** CVE-2017-7546  
**DESCRIPTION:** PostgreSQL could allow a remote attacker to bypass security restrictions, caused by a flaw in the libpq. By setting an empty password, an attacker could exploit this vulnerability to bypass access restrictions and log in to the system.  
CVSS Base Score: 7.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/130240 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

**CVEID:** CVE-2017-12172  
**DESCRIPTION:** PostgreSQL could allow a local authenticated attacker to bypass security restrictions, caused by a flaw in the start scripts. By creating a symbolic link from the $PGLOG file to a critical file, an attacker could exploit this vulnerability to modify root-owned files.  
CVSS Base Score: 7.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134712 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2016-7048  
**DESCRIPTION:** PostgreSQL could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the Interactive installer. By persuading victim to download a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.  
CVSS Base Score: 7.5  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148749 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2016-0766  
**DESCRIPTION:** PostgreSQL could allow a remote authenticated attacker to gain elevated privileges on the system, caused by the failure to restrict configuration settings (GUCS) for PL/Java. By modifying the settings, an attacker could exploit this vulnerability to gain elevated privileges on the system.  
CVSS Base Score: 8.8  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110627 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:** CVE-2019-4145  
**DESCRIPTION:** IBM Security Access Manager Appliance could reveal highly sensitive in specialized conditions to a local user which could be used in further attacks against the system.  
CVSS Base Score: 7.7  
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158400 for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

**Affected Products and Versions**

ISAM 9.0.1, 9.0.2 9.0.3, 9.0.4, 9.0.5, 9.0.6

ISAM Appliance 9.0.1, 9.0.2 9.0.3, 9.0.4, 9.0.5, 9.0.6

**Remediation/Fixes**

Product

VRMF

Remediation/First Fix

ISAM

9.0.1 -9.0.6

ISAM 9.0.7.0

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza, Matt McCarty, Vincent Dragnea, Troy Fisher, Nathan Roane

**Change History**

21 June 2019: First version published.

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

**Internal Use Only**

Advisories: 13963, 15533, 15534, 15535, 15537, 15575, 15576, 15577, 15578, 13128, 15499, 14228, 16424, 15876, 15392, 15500, 15501

Product Records: 126047, 133096, 133097, 133098 133099, 133266, 133267 133268, 133269,130313, 132944, 127298, 137192, 134825, 132173, 123945, 132947

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSZU8Q","label":"IBM Security Access Manager"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"9.0.1;9.0.2;9.0.3;9.0.4;9.0.5;9.0.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\\/o TPS"},"Product":{"code":"SSQRZH","label":"IBM Security Access Manager Appliance"},"Component":"","Platform":\[{"code":"PF016","label":"Linux"}\],"Version":"9.0.1;9.0.2;9.0.3;9.0.4;9.0.5;9.0.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}\]

CVE-2019-4153: Security Bulletin: Multiple Security Vulnerabilities fixed in IBM Security Access Manager Appliance

A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.

Release date: April 25, 2019

These release notes describe the new features, improvements, and fixed issues in Serv-U File Server 15.1.7. They also provide information about upgrades and describe workarounds for known issues.

If you are looking for previous release notes for Serv-U File Server, see Previous Version documentation.

NPAPI is deprecated in Google Chrome. This means Web Client Pro will not function in Google Chrome. As a workaround, access Web Client Pro using another browser.

**New features and improvements**

Return to top

Serv-U 15.1.7 is a service release containing three hotfixes, and additional fixes, described here.

**Previous releases**

Serv-U 15.1.6 included the following new features and updates:

*   Support for Explicit SSL when connected to SMTP server
*   Support for HTTP Strict Transport Security
*   Support for Elliptic-curve Diffie-Hellman (ECDH) key exchange
*   Forward secrecy is enabled by default (new installations only)
*   TLS 1.0 is disabled by default (new installations only)
*   Disabled SSL/TLS ciphers based on 64-bit block size (new installations only)
*   Support for Secure LDAP protocol (Windows installation only)
*   Various fixes described in the Fixed Issues section.

Serv-U 15.1.5 was a service release containing security fixes, described in the Fixed Issues section.

Serv-U 15.1.4 was a service release containing two hotfixes, described in the Fixed Issues section.

Serv-U 15.1.3 was a service release containing two hotfixes, described in the Fixed Issues section.

For earlier Serv-U 15.x.x releases, please visit the Previous Versions page.

**Fixed issues**

Return to top

Serv-U 15.1.7 fixes the following issues.

 

Case Number

Description

423241

Fixed issue where writing files to disk could cause bottleneck

1197511

Corrected SSL error handling on Socket level

00063383

Fixed issue with service when sending download link to guest user

00068104

Corrected format for X-Csrf-Token HTTP header (FTP Voyager JV)

00159690

Fixed issue with ODBC database validation

00200302

CSRF issues resolved.

00186124

Can now add a user to a collection when the user exists in another collection

00204425

Serv-U no longer deletes incorrect files from directories with delete rules

00229117

Serv-U no longer response incorrectly when empty user name and password is used to log on

00284847

Issues in web management interface fixed

00061457

Special characters from E-mail notification template not sent correctly

00039051, 00081081, 00195143, 00263829, 00260387, 00218061, 1362493, 1338156

Updated jquery libraries

00054823, 1320710, 1335744

Files list returned corrected from LIST Command

00085995, 00201705

CVE-1999-0017 vulnerability fixed.

00187355, 00065590, 00053277, 00105077, 00123871

Multiple issues in SFTP protocol resolved

00240051, 00267281, 00260953, 00280283, 00285641

WinSCP upload issues resolved

n/a

Resolved a privilege escalation issue, logged as CVE-2018-19999 – with thanks to Chris Moberly at The Missing Link.

n/a

Resolved a privilege escalation issue, logged as CVE-2019-12181 – with thanks to Guy Levin (@va\_start).

Serv-U 15.1.6 fixes the following issues.

 

Case Number

Description

961565, 1183341, 887731, 1123968, 1125053, 901145, 1091444, 1131439, 1080928, 796814, 799615, 787936, 1036534

Fixed an issue with limited top level domain.

1050275

Fixed an issue with long timeout where LDAP server was unavailable

166489, 1126605, 914000

Fixed an issue with SSH Ciphers description.

1186645, 979487

Fixed an impersonation issue during downloads.

1039205

Fixed an issue with password stale event.

1086638, 1209329

Fixed an issue with special characters in File Sharing notification template.

1129144, 1115351

Fixed a possible crash of Gateway.

1163543

Fixed an issue with user creation wizard.

1123779

Fixed a memory leak issue related to SFTP sessions.

1231876, 1233371, 1209874

Fixed broken links to support site.

1124857, 1181653, 1215831, 1223871, 1230986, 1241567, 1326419

Fixed an issue with bare line feed character.

Serv-U 15.1.5 fixes the following issues.

 

Case Number

Description

1110916

Fixed potential vulnerability with unauthenticated privilege escalation Reported by – Trustwave SpiderLabs Contact - Leopold von Niebelschuetz-Godlewski

904433, 804380

Fixed an issue with possibility of unauthorized access to the files in installation folder on web server. Reported by – www.netspi.com Contact - Cody Wass (Cody. Wass@netspi.com)

1065565, 1061848, 1056263, 1054225, 1090081, 1045088

Fixed an issue where domain users were not able to login when ldap suffix was used.

741595

Fixed a memory leak issue that occurred during LDAP authentication.

951099, 1065736, 1022993

Fixed a memory leak issue that occurred during SFTP session.

882524, 909979, 871563, 867742, 867834, 981751, 877933

Fixed an issue with "Automatic idle connection timeout" limit.

Serv-U 15.1.4 fixes the following issues.

 

Case Number

Description

991668

ECDHE-RSA-AES256\* ciphers shown as enabled or disabled correctly

954294

Long (encrypted) passwords issue fixed.

984664, 1003106, 993854

OpenSSL vulnerabilities - updated to 1.0.2h

932381

SHA-1 Cert deprecation (Previous cert was due to expire in January 2017)

984485, 887910, 741595

LDAP suffix issue fixed

844572, 894400, 953313, 910253, 881308, 914055, 990080

Web client Favorites fixed.

1005791, 1005383, 990956, 984664, 982577, 966856, 948270, 963296, 941118, 934566, 927375, 917616, 900288, 883047, 885033, 884883, 876306, 876820, 874853, 872968, 857502, 862922, 853433

Serv-U no longer freezes in FIPS mode during SFTP connections.

Serv-U 15.1.3 fixes the following issues.

 

Case Number

Description

872782, 864631

Case sensitivity issues occurred when configuring Directory Access rules.

n/a

An issue with LDAP public key authentication.

n/a

Memory leak occurs during LDAP authentication.

853136

An issue with the expired password change functionality.

868638

An issue with multi-line FTP responses for the FEAT command.

n/a

An issue with the possibility of SQL injection in the invitation link used by secure file sharing.

625348

An issue with the possibility of persistent cross-site scripting in file sharing.

n/a

An issue with the possibility of the injection of additional email headers using a crafter subject in an upload or download request.

**Legal notices**

Return to top

© 2019 SolarWinds Worldwide, LLC. All rights reserved.

This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.

SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.

CVE-2019-12181: Serv-U File Server 15.1.7 Release Notes

An issue was discovered in Tyto Sahi Pro through 7.x.x and 8.0.0. A parameter in the web reports module is vulnerable to h2 SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.

An issue was discovered in Tyto Sahi Pro ( <= 8.x )  
A parameter in the web reports module is vulnerable to  SQL injection. This can be exploited to inject SQL queries and run standard h2 system functions.

It was found in sahi reports web interface,whenever we search for a particular report using search field , direct sql query was passed as part of GET request. This query can be manipulated to dump internal details such as database name ,database path , read files using h2 system functions , user details , schema details and other critical information related to the internals of sahi database to external adversary  on same network.

Proof of concept :

              **Fig 1 : sql query is directly passed as part of GET request**

Sahi web reports interface allows an end user to search for a report based on its name. This user supplied parameter is converted into a SQL query and is directly passed as part of URL as shown in figure 1.

As sahi is using **H2 database** to store the reports and other data, an end user can exploit this scenario to run **h2 database system functions** by manipulating the passed SQL query .

               **Fig 2 : leak of memory used by sahi application ( memory\_used() )**

**Modified URL :**

**http://localhost:9999/\_s\_/dyn/pro/DBReports?sql=SELECT DISTINCT memory\_used() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.\* FROM SUITEREPORTS,SCRIPTREPORTS**

           **Fig 3 : leak of database path by sahi application ( database\_path() )**

**Modified URL:**

**http://localhost:9999/\_s\_/dyn/pro/DBReports?sql=SELECT DISTINCT database\_path() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.\* FROM SUITEREPORTS,SCRIPTREPORTS**

       **Fig 4 : leak of current database user by sahi application ( user() )**

**Modified URL:** 

**http://localhost:9999/\_s\_/dyn/pro/DBReports?sql=SELECT DISTINCT user() AS ROWSTATUS, SCRIPTREPORTS.SCRIPTREPORTID,SCRIPTREPORTS.SCRIPTNAME,SUITEREPORTS.\* FROM SUITEREPORTS,SCRIPTREPORTS**

All h2 system functions can be used to abuse and leak more sensitive  information by un-authenticated user .

Disclosure timeline :

disclosed on : 8/ December / 2018

suggested quick fix till the official patch is released : password protect web reports module

Affected versions : all versions of **sahi pro ( <= 8.x ) (web application automation )**

**vendor website** :  https://sahipro.com/

**Post navigation**

CVE-2018-20469: CVE-2018-20469 - Sahi pro (

An exploitable local privilege elevation vulnerability exists in the file system permissions of the `Temp` directory in GOG Galaxy 1.2.48.36 (Windows 64-bit Installer). An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges.

**Summary**

An exploitable local privilege elevation vulnerability exists in the file system permissions of GOG Galaxy’s Temp directory. An attacker can overwrite executables of the Desktop Galaxy Updater to exploit this vulnerability and execute arbitrary code with SYSTEM privileges.

**Tested Versions**

Gog Galaxy 1.2.48.36 (Windows 64-bit Installer)

**Product URLs**

https://www.gog.com/galaxy

**CVSSv3 Score**

9.3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-276: Incorrect Default Permissions

**Details**

GOG Galaxy is a platform that allows users to launch, update and manage video games. By default, GOG Galaxy extracts the executables for the automatic update function in a directory that allows anyone on the system to have “full control.” This allows all users to read, write or modify arbitrary files related to the GOG Galaxy Updater Service. The executables include sensitive data, such as a root CA, as well as executables that will be run with SYSTEM privileges once they are installed, allowing an attacker to overwrite them prior to installation to achieve arbitrary code execution with SYSTEM privileges.

\`\`\` C:>icacls.exe “C:\\ProgramData\\GOG.com\\Galaxy\\temp\\desktop-galaxy-updater” C:\\ProgramData\\GOG.com\\Galaxy\\temp\\desktop-galaxy-updater Everyone:(I)(F) Everyone:(I)(OI)(CI)(IO)(F) NT AUTHORITY\\SYSTEM:(I)(OI)(CI)(F) BUILTIN\\Administrators:(I)(OI)(CI)(F) SPRITE\\rjohnson:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) BUILTIN\\Users:(I)(OI)(CI)(RX) BUILTIN\\Users:(I)(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

C:>dir “C:\\ProgramData\\GOG.com\\Galaxy\\temp\\desktop-galaxy-updater” Volume in drive C has no label. Volume Serial Number is DEC6-C1D3

Directory of C:\\ProgramData\\GOG.com\\Galaxy\\temp\\desktop-galaxy-updater

11/09/2018 03:10 PM

. 11/09/2018 03:10 PM

.. 11/06/2018 12:11 PM 152,648 expat.dll 11/06/2018 12:11 PM 1,487,944 GalaxyUpdater.exe 11/06/2018 12:11 PM 1,273,416 libeay32.dll 11/06/2018 12:11 PM 426,568 pcre.dll 11/06/2018 12:11 PM 157,256 PocoCrypto.dll 11/06/2018 12:11 PM 1,856,072 PocoData.dll 11/06/2018 12:11 PM 387,656 PocoDataSQLite.dll 11/06/2018 12:11 PM 1,656,392 PocoFoundation.dll 11/06/2018 12:11 PM 327,752 PocoJSON.dll 11/06/2018 12:11 PM 1,071,176 PocoNet.dll 11/06/2018 12:11 PM 306,248 PocoNetSSL.dll 11/06/2018 12:11 PM 503,368 PocoUtil.dll 11/06/2018 12:11 PM 513,608 PocoXml.dll 11/06/2018 12:11 PM 270,920 PocoZip.dll 11/06/2018 12:11 PM 4,635,720 Qt5Core.dll 11/06/2018 12:11 PM 250,607 rootCA.pem 11/06/2018 12:11 PM 681,032 sqlite.dll 11/06/2018 12:11 PM 282,696 ssleay32.dll 11/09/2018 03:10 PM

web 11/06/2018 12:11 PM 107,592 zlib.dll 19 File(s) 16,348,671 bytes

**Mitigation**

Users of GOG Galaxy can replace the “Full Control” permission with “Read and Execute” for the “Everyone” group in the GOG Galaxy “Temp” directory and ensure all file system objects below that path inherit from the parent directory.

**Timeline**

2018-11-20 - Vendor Disclosure  
2019-03-14 - Vendor Patched  
2019-03-26 - Public Release

Discovered by Richard Johnson of Cisco Talos.

Tag

#sql