Security Bulletin: IBM WebSphere Installer used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, Manufacturing Pack, and Retail Pack is susceptible to DLL-planting vulnerability (CVE-2016-4560)

Created by Veena Ramachandran on Thu, 03/17/2016 - 05:26

Published URL:

https://www.ibm.com/support/pages/node/545393

545393

Security Bulletin

Summary

The Windows graphical user interface installer (setup.exe) used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, IBM Integration Bus Manufacturing Pack, and IBM Integration Bus Retail Pack, is susceptible to a DLL-planting vulnerability, where a malicious DLL that is present in the Windows search path could be loaded by the operating system in place of the genuine file.

Vulnerability Details

CVEID: CVE-2016-4560
DESCRIPTION: Flexera InstallAnywhere could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability, by using a Trojan horse DLL in the current working directory of a setup-launcher executable file, to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The vulnerability affects the executable (.exe file extension) installers and fix packs:

IBM Integration Bus V9 for Windows (V9.0.0.0 -> V9.0.0.5)

WebSphere Message Broker V8 for Windows (V8.0.0.0 -> V8.0.0.7)

IBM Integration Bus Healthcare Pack V3 for Windows (V3.0.0.0 -> V3.0.0.1)

WebSphere Message Broker Connectivity Pack for Healthcare V8 for Windows (V8.0.0.0)

WebSphere Message Broker Connectivity Pack for Healthcare V7 for Windows (V7.0.0.0 -> V7.0.0.2)

IBM Integration Bus Manufacturing Pack V1 for Windows (V1.0.0.0 -> V1.0.0.1)

IBM Integration Bus Retail Pack V1 for Windows (V1.0.0.0)

Remediation/Fixes

Product	VRMF	APAR	Remediation/Fix
IBM Integration Bus Manufacturing Pack	V1	IT15616	The APAR is available in Fix Pack 1.0.0.2 http://www-01.ibm.com/support/docview.wss?uid=swg21987596
IBM Integration Bus	V9	IT15601	The APAR is available in Fix Pack 9.0.0.6 https://www-304.ibm.com/support/docview.wss?uid=swg24042598
WebSphere Message Broker	V8	IT15601	The APAR is available in Fix Pack 8.0.0.8 https://www-304.ibm.com/support/docview.wss?uid=swg24042925
IBM Integration Bus Retail Pack	V1	IT15611	IBM Integration Bus Retail Pack 1.0.0.0 has been repackaged to no longer be susceptible to the described vulnerability. The updated package is available via IBM Passport Advantage. The following link directs you to the Passport Advantage Online web site. Passport Advantage is a secure web site that requires an account ID and password. http://www.ibm.com/software/how-to-buy/passportadvantage/pao_customers.htm

For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308

Workarounds and Mitigations

Complete these steps to work around the InstallAnywhere vulnerability.

To avoid the untrusted search path vulnerability, where users could gain increased privileges, complete the following steps:
1) Create a new, empty, secure directory in a temporary location.
The directory must not exist previously and only the administrator should have write access to it.
2) Either copy or move the installer executable, or unpack the installation zip file into the new, empty folder created in Step 1.
3) Ensure that there are no DLL files in this directory.
4) Launch the installer executable from its new location.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

22 -Jul-2016 - Original version Published
26-Jul-2016 - Rectified truncation of Title text
17 Aug 2017 - Added IBM Integration Bus Manufacturing Pack fix link
28 Nov 2016- Added IBM Integration Bus Retail pack fix details

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF033","label":"Windows"}],"Version":"9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSKM8N","label":"WebSphere Message Broker"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS8SP2","label":"IBM Integration Bus Healthcare Pack"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"}],"Version":"3.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSFLG3","label":"IBM Integration Bus Manufacturing Pack"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"}],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSCSYF","label":"IBM Integration Bus Retail Pack"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF033","label":"Windows"}],"Version":"1.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

WMB IIB

Was this topic helpful?

Document Information

Modified date:
23 March 2020

UID

swg21979292

Tips

Security Bulletin: IBM WebSphere Installer used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, Manufacturing Pack, and Retail Pack is susceptible to DLL-planting vulnerability (CVE-2016-4560)

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

Important Note

References

Change History

Disclaimer

Product Synonym

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?

Tips

Security Bulletin: IBM WebSphere Installer used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, Manufacturing Pack, and Retail Pack is susceptible to DLL-planting vulnerability (CVE-2016-4560)

Security Bulletin

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Get Notified about Future Security Bulletins

Important Note

References

Related Information

Change History

Disclaimer

Product Synonym

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?