The Windows graphical user interface installer (setup.exe) used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, IBM Integration Bus Manufacturing Pack, and IBM Integration Bus Retail Pack, is susceptible to a DLL-planting vulnerability, where a malicious DLL that is present in the Windows search path could be loaded by the operating system in place of the genuine file.
CVEID: CVE-2016-4560**
DESCRIPTION:** Flexera InstallAnywhere could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability, by using a Trojan horse DLL in the current working directory of a setup-launcher executable file, to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
The vulnerability affects the executable (.exe file extension) installers and fix packs:
IBM Integration Bus V9 for Windows (V9.0.0.0 -> V9.0.0.5)
WebSphere Message Broker V8 for Windows (V8.0.0.0 -> V8.0.0.7)
IBM Integration Bus Healthcare Pack V3 for Windows (V3.0.0.0 -> V3.0.0.1)
WebSphere Message Broker Connectivity Pack for Healthcare V8 for Windows (V8.0.0.0)
WebSphere Message Broker Connectivity Pack for Healthcare V7 for Windows (V7.0.0.0 -> V7.0.0.2)
IBM Integration Bus Manufacturing Pack V1 for Windows (V1.0.0.0 -> V1.0.0.1)
IBM Integration Bus Retail Pack V1 for Windows (V1.0.0.0)
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus Manufacturing Pack| V1| IT15616| The APAR is available in Fix Pack 1.0.0.2
<http://www-01.ibm.com/support/docview.wss?uid=swg21987596>
IBM Integration Bus| V9| IT15601 | The APAR is available in Fix Pack 9.0.0.6
<https://www-304.ibm.com/support/docview.wss?uid=swg24042598>
WebSphere Message Broker| V8| IT15601| The APAR is available in Fix Pack 8.0.0.8
<https://www-304.ibm.com/support/docview.wss?uid=swg24042925>
IBM Integration Bus Retail Pack| V1| IT15611 | IBM Integration Bus Retail Pack 1.0.0.0 has been repackaged to no longer be susceptible to the described vulnerability. The updated package is available via IBM Passport Advantage.
The following link directs you to the Passport Advantage Online web site. Passport Advantage is a secure web site that requires an account ID and password.
http://www.ibm.com/software/how-to-buy/passportadvantage/pao_customers.htm
For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308
Complete these steps to work around the InstallAnywhere vulnerability.
To avoid the untrusted search path vulnerability, where users could gain increased privileges, complete the following steps: