Security Bulletin
Summary
The following potential security vulnerability has been identified in versions of IBM OpenPages GRC Platform that use a Flexera InstallAnywhere based installer. See the Vulnerability Details section for more information.
Vulnerability Details
Customers who have IBM OpenPages GRC Platform are potentially impacted by the following vulnerability:
CVEID: CVE-2016-2542
DESCRIPTION: Flexera InstallShield could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability using a Trojan horse DLL in the current working directory of a setup-launcher executable file to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110914 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM OpenPages GRC Platform 6.x
IBM OpenPages GRC Platform 7.0
IBM OpenPages GRC Platform 7.1
Remediation/Fixes
Due to a vulnerability found in the InstallAnywhere installer used by OpenPages GRC Platform, all older, out of support maintenance releases that use an InstallAnywhere based installer have been removed from FixCentral. This includes all OpenPages GRC Platform 6.x releases. For OpenPages GRC Platform 7.0 releases, we have remediated the latest release and removed the previous releases. For instance, the OpenPages GRC Platform 7.0 Fix Pack 4 has been remediated and uploaded again. Fix Packs 1, 2, and 3 for OpenPages GRC Platform 7.0 have been removed.
Customers should be aware that using a non-remediated installer could leave them vulnerable to CVE-2016-2542. If there is a plan to install one of the affected releases, customers should download the remediated release first. Customers who have already installed a vulnerable release, and have no plans for further installations, are advised to delete the downloaded release kit. No further action is needed in that case. The list of remediated releases are listed in the table below.
| Patch | Download URL |
| IBM OpenPages GRC Platform with Application Server IF 6 | http://www.ibm.com/support/docview.wss?uid=swg24042538 |
| IBM OpenPages GRC Platform with Database IF 6 | http://www.ibm.com/support/docview.wss?uid=swg24042106 |
| IBM OpenPages GRC Platform 7.0 FP4 | http://www.ibm.com/support/docview.wss?uid=swg24039998 |
| IBM OpenPages GRC Platform 7.1 FP3 | http://www.ibm.com/support/docview.wss?uid=swg24042085 |
Workarounds and Mitigations
If you are unable to download a remediated installer, create a new folder with a random name to extract the installer into prior to installing.
Get Notified about Future Security Bulletins
References
Change History
5 August 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21988401