If a user has previously saved a credential and then later performs a search using that credential, the search may be made accessible to the user account even if the account is not a member of the LDAP server. Exploitation of this issue may allow an attacker to access data or issue privileged commands. IBM X-Force ID: 236601. In certain circumstances, UCD may fail to reject LDAP queries that would ordinarily be rejected because of the existence of a previously saved LDAP search request. If an LDAP server is configured in such a way that allows all users to query the LDAP server, an attacker may be able to discover previously saved search requests and, thus, access data or issue privileged commands. IBM X-Force ID: 236601.
CVE-2017-5320 IBM UrbanCode Deploy (UCD) 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7.2.0.0 through 7.2.3.1 could allow a user with the ability to view LDAP queries may be able to view LDAP queries. IBM X-Force ID: 236601.
CVE-2017-5321 IBM UrbanCode Deploy (UCD) 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7
Potential Impact: Viewing of LDAP Queries by Users with the Ability to View LDAP Queries
In certain circumstances, UCD may fail to reject LDAP queries that would ordinarily be rejected because of the existence of a previously saved LDAP search request. If an LDAP server is configured in such a way that allows all users to query the LDAP server, an attacker may be able to discover previously saved search requests and, thus, access data or issue privileged commands. IBM X-Force ID: 236601.
IBM UrbanCode Deploy (UCD) 7.0.0.0 through 7.2.3.1 and IBM UrbanCode Deploy (UCD) 8.0 have been updated with fixes for CVE-2017-5320, CVE-2017-5321, and CVE-2018-11487
Solution Description
If you are using the latest version of UCD and have configured the LDAP server to accept queries from all users, then you should upgrade to UCD versions 7.0.6.2 or later.
If you are using an earlier version of UCD, contact X-Force support for assistance.
Moderation note:
This blog post does not reference the potential impact of this vulnerability in a particular scenario.
How does IBM UrbanCode Deploy (UCD) Software Enable CVEs?
CVE-2017-5320 IBM UrbanCode Deploy (UCD) 7.0.0.0 through 7.0.5.12, 7.1.0.0 through 7.1.2.8, and 7
Timeline
Published on: 11/17/2022 17:15:00 UTC
Last modified on: 11/18/2022 19:27:00 UTC