Details of VAR-201601-0651

ID

VAR-201601-0651

CVE

CVE-2015-5018

TITLE

IBM Security Access Manager for Web and Security Access Manager In any OS Command execution vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2015-006652

DESCRIPTION

IBM Security Access Manager for Web 7.0.0 before FP19 and 8.0 before 8.0.1.3 IF3, and Security Access Manager 9.0 before 9.0.0.0 IF1, allows remote authenticated users to execute arbitrary OS commands by leveraging Local Management Interface (LMI) access. Attackers can exploit this issue to execute arbitrary OS commands in context of the affected application. Failed exploit attempts will result in denial-of-service conditions. The former is a set of products used in user authentication, authorization and Web single sign-on solutions, which provides user access management and Web application protection functions, and the latter is a set of scalable network access for network, cloud and mobile environments Functional security solutions, which can help customers and enterprises to view user access behaviors in many network applications and services, and solve the security problems caused by them. There are security holes in ISAM for Web and ISAM. The following versions are affected: ISAM for Web versions 7.0 and 8.0, ISAM version 9.0

Trust: 1.98

sources: NVD: CVE-2015-5018 // JVNDB: JVNDB-2015-006652 // BID: 79878 // VULHUB: VHN-82979

AFFECTED PRODUCTS

vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.12	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.2	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.6	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.4	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.3	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.7	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.5	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.8	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.10	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.9	Trust: 1.6
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.14	Trust: 1.0
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.16	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1.0	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.3	Trust: 1.0
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.15	Trust: 1.0
vendor:	ibm	model:	security access manager 9.0	scope:	eq	version:	9.0.0	Trust: 1.0
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.13	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.5	Trust: 1.0
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.1	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.2	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1	Trust: 1.0
vendor:	ibm	model:	security access manager for web 7.0	scope:	eq	version:	7.0.0.11	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1.3	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.1.2	Trust: 1.0
vendor:	ibm	model:	security access manager for web 8.0	scope:	eq	version:	8.0.0.1	Trust: 1.0
vendor:	ibm	model:	security access manager for web software	scope:	lt	version:	7.0.0	Trust: 0.8
vendor:	ibm	model:	security access manager for web software	scope:	eq	version:	7.0.0 fp19	Trust: 0.8
vendor:	ibm	model:	security access manager software	scope:	eq	version:	9.0.0.0 if1	Trust: 0.8
vendor:	ibm	model:	security access manager for web software	scope:	lt	version:	8.0	Trust: 0.8
vendor:	ibm	model:	security access manager software	scope:	lt	version:	9.0	Trust: 0.8
vendor:	ibm	model:	security access manager for web software	scope:	eq	version:	8.0.1.3 if3	Trust: 0.8
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.1	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.03	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.02	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.1.3	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.1.2	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.1.1	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.1.0	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.0.5	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0.0.4	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	8.0	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.9	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.8	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.7	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.6	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.5	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.4	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.3	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.2	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.18	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.17	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.16	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.15	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.14	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.13	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.12	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.11	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.10	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0.0.1	Trust: 0.3
vendor:	ibm	model:	security access manager for web	scope:	eq	version:	7.0	Trust: 0.3
vendor:	ibm	model:	security access manager for web fp19	scope:	ne	version:	7.0	Trust: 0.3
vendor:	ibm	model:	security access manager for web if3	scope:	ne	version:	8.0.1.3	Trust: 0.3

sources: BID: 79878 // JVNDB: JVNDB-2015-006652 // CNNVD: CNNVD-201601-008 // NVD: CVE-2015-5018

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-5018
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-5018
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201601-008
value:	HIGH
Trust: 0.6
VULHUB:	VHN-82979
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2015-5018
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-82979
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:M/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	6.8
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-5018
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.3
impactScore:	6.0
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-82979 // JVNDB: JVNDB-2015-006652 // CNNVD: CNNVD-201601-008 // NVD: CVE-2015-5018

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.9

sources: VULHUB: VHN-82979 // JVNDB: JVNDB-2015-006652 // NVD: CVE-2015-5018

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201601-008

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201601-008

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006652

PATCH

title:	1970510	url:	http://www-01.ibm.com/support/docview.wss?uid=swg21970510	Trust: 0.8
title:	IBM Security Access Manager for Web and Security Access Manager Fixes for operating system command injection vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=59404	Trust: 0.6

sources: JVNDB: JVNDB-2015-006652 // CNNVD: CNNVD-201601-008

EXTERNAL IDS

db:	NVD	id:	CVE-2015-5018	Trust: 2.8
db:	SECTRACK	id:	1034560	Trust: 1.1
db:	JVNDB	id:	JVNDB-2015-006652	Trust: 0.8
db:	CNNVD	id:	CNNVD-201601-008	Trust: 0.7
db:	BID	id:	79878	Trust: 0.4
db:	VULHUB	id:	VHN-82979	Trust: 0.1

sources: VULHUB: VHN-82979 // BID: 79878 // JVNDB: JVNDB-2015-006652 // CNNVD: CNNVD-201601-008 // NVD: CVE-2015-5018

REFERENCES

url:	http://www-01.ibm.com/support/docview.wss?uid=swg21970510	Trust: 2.0
url:	http://www-01.ibm.com/support/docview.wss?uid=swg1iv78768	Trust: 1.7
url:	http://www-01.ibm.com/support/docview.wss?uid=swg1iv78780	Trust: 1.7
url:	http://www.securitytracker.com/id/1034560	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5018	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5018	Trust: 0.8
url:	http://www-03.ibm.com/software/products/en/access-mgr-web	Trust: 0.3

sources: VULHUB: VHN-82979 // BID: 79878 // JVNDB: JVNDB-2015-006652 // CNNVD: CNNVD-201601-008 // NVD: CVE-2015-5018

CREDITS

IBM

Trust: 0.3

sources: BID: 79878

SOURCES

db:	VULHUB	id:	VHN-82979
db:	BID	id:	79878
db:	JVNDB	id:	JVNDB-2015-006652
db:	CNNVD	id:	CNNVD-201601-008
db:	NVD	id:	CVE-2015-5018

LAST UPDATE DATE

2024-11-23T21:54:41.481000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-82979	date:	2016-12-07T00:00:00
db:	BID	id:	79878	date:	2015-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2015-006652	date:	2016-01-08T00:00:00
db:	CNNVD	id:	CNNVD-201601-008	date:	2016-01-07T00:00:00
db:	NVD	id:	CVE-2015-5018	date:	2024-11-21T02:32:11.287

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-82979	date:	2016-01-02T00:00:00
db:	BID	id:	79878	date:	2015-12-14T00:00:00
db:	JVNDB	id:	JVNDB-2015-006652	date:	2016-01-08T00:00:00
db:	CNNVD	id:	CNNVD-201601-008	date:	2016-01-05T00:00:00
db:	NVD	id:	CVE-2015-5018	date:	2016-01-02T05:59:03.800