CVE-2020-4703: IBM Spectrum Protect Plus Arbitrary Code Execution Vulnerability Alert

Recently, IBM issued a security bulletin, announcing an arbitrary code execution vulnerability (CVE-2020-4703) in IBM Spectrum Protect Plus. The vulnerability allows an authenticated attacker to upload arbitrary files, which can execute arbitrary code on vulnerable servers. CVE-2020-4703 is caused by an incomplete fix to CVE-2020-4470 that previously disclosed in June.

IBM also announced is the directory traversal vulnerability CVE-2020-4711. With this vulnerability, an attacker can view any file in the system by sending a special URL request containing a sequence (/../).

IBM z15 mainframe

“ML1_1056”by IBM DACH is licensed under CC BY-NC 2.0

At present, there have been an analysis of vulnerabilities and PoC on the Internet.

Affected version

  • IBM Spectrum Protect Plus 10.1.0-10.1.6

Unaffected version

  • IBM Spectrum Protect Plus 10.1.6 ifix4

Solution

IBM has released a temporary revised version, and there are no other mitigation measures for these vulnerabilities. In view of the detailed analysis and the emergence of PoC, it is recommended that users update IBM Spectrum Protect Plus to the unaffected version as soon as possible.