IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)

critical Nessus Plugin ID 191754

Synopsis

The remote host is missing one or more security updates.

Description

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

- Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass. (CVE-2022-32532)

- The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
(CVE-2023-46604)

- Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be exploited. There is only a risk in conjunction with Java object deserialization within an application. In such situations, it allows attackers to erase contents of arbitrary files, make network connections, or possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

- IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

- A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows remote attackers to inject arbitrary web script through a crafted protected comment (with the cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade IBM DOORS based upon the guidance specified in 7124058.

See Also

https://www.ibm.com/support/pages/node/7124058

Plugin Details

Severity: Critical

ID: 191754

File Name: ibm_doors_7124058.nasl

Version: 1.2

Type: local

Agent: windows

Family: Windows

Published: 3/8/2024

Updated: 3/12/2024

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Critical

Score: 9.0

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-32532

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

CVSS Score Source: CVE-2023-46604

Vulnerability Information

CPE: cpe:/a:ibm:rational_doors

Required KB Items: SMB/Registry/Enumerated, installed_sw/IBM DOORS

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/28/2024

Vulnerability Publication Date: 11/14/2018

CISA Known Exploited Vulnerability Due Dates: 3/17/2022, 10/31/2023, 11/23/2023

Exploitable With

Core Impact

Metasploit (Apache ActiveMQ Unauthenticated Remote Code Execution)

Reference Information

CVE: CVE-2018-17960, CVE-2019-10072, CVE-2020-11996, CVE-2020-13934, CVE-2020-13943, CVE-2020-14338, CVE-2020-17527, CVE-2020-1935, CVE-2020-1938, CVE-2020-27193, CVE-2020-36518, CVE-2020-9281, CVE-2021-23926, CVE-2021-25122, CVE-2021-26271, CVE-2021-27568, CVE-2021-29425, CVE-2021-33037, CVE-2021-33829, CVE-2021-37533, CVE-2021-37695, CVE-2021-41079, CVE-2021-41164, CVE-2021-41165, CVE-2021-43980, CVE-2021-46877, CVE-2022-24728, CVE-2022-24729, CVE-2022-25762, CVE-2022-29885, CVE-2022-32532, CVE-2022-36944, CVE-2022-42003, CVE-2022-42004, CVE-2022-42252, CVE-2022-43551, CVE-2022-43552, CVE-2023-1370, CVE-2023-23914, CVE-2023-23915, CVE-2023-23916, CVE-2023-24998, CVE-2023-27533, CVE-2023-27534, CVE-2023-27535, CVE-2023-27536, CVE-2023-27537, CVE-2023-27538, CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322, CVE-2023-28525, CVE-2023-28949, CVE-2023-32001, CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2023-35116, CVE-2023-38039, CVE-2023-38545, CVE-2023-38546, CVE-2023-41080, CVE-2023-42795, CVE-2023-43642, CVE-2023-44487, CVE-2023-45648, CVE-2023-46604, CVE-2023-50305, CVE-2023-50306, CVE-2024-21733

IAVA: 2024-A-0124