A vulnerability has been found in IBM Sterling B2B Integrator Standard Edition 5.2.6.0/6.2.6.1 (Business Process Management Software) and classified as problematic. Affected by this vulnerability is an unknown functionality of the component Installation. The manipulation with an unknown input leads to a information disclosure vulnerability. The CWE definition for the vulnerability is CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. As an impact it is known to affect confidentiality. The summary by CVE is:

IBM Sterling B2B Integrator Standard Edition 5.2.6.0 and 6.2.6.1 could allow a local user to obtain highly sensitive information during a short time period when installation is occuring. IBM X-Force ID: 149607.

The bug was discovered 09/13/2018. The weakness was released 09/20/2018 (Website). The advisory is shared at exchange.xforce.ibmcloud.com. This vulnerability is known as CVE-2018-1800 since 12/12/2017. An attack has to be approached locally. The successful exploitation needs a single authentication. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability was handled as a non-public zero-day exploit for at least 7 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• Business Process Management Software

Vendor

• IBM

Name

• Sterling B2B Integrator Standard Edition

Version

• 5.2.6.0
• 6.2.6.1

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion