Error: Invalid spaceKey on retrieving a related space config.

9.1.00: Fixes available for Remedy AR System security vulnerabilities

In October 2017, an article was published by Outpost24 reporting security vulnerabilities in Remedy Action Request (AR) System 9.1.03.001 and earlier versions, ranging from low to critical severity. The vulnerabilities include Remote File Inclusion and Local File Inclusion, Internal Path Disclosure, Cross-site Scripting, Cross-site Script Inclusion, log hijacking, session token disclosure, and authenticated code execution. BMC Software remains committed to security and to staying on top of vulnerability management and threat intelligence.

If you are running version 9.1.04 or later of Remedy AR System and Remedy Mid Tier, no action is required; version 9.1.04 contains the security vulnerability fixes. If you are running version 9.0.x to 9.1.03, we recommend that you immediately apply the fixes as described in this technical bulletin. Versions earlier than 9.0 are not affected. 

Security vulnerability issues and resolved version

The following security vulnerabilities were detected in Remedy AR System version 9.1.03.001 (SP3 patch 001) and earlier. We have assigned Common Vulnerabilities and Exposure (CVE) identifiers to notable vulnerabilities and included a Common Vulnerability Scoring System (CVSS) score.

CVE ID and CVSS ratingSecurity vulnerabilityComponent and version resolved
CVE-2017-17674

CVSS v3.0: 9.0

Remote File Inclusion and Local File inclusion—The Eclipse Foundation BIRT Report Design Engine exposed in Remedy AR System enables an attacker to include arbitrary external or internal files. Due to the lack of restrictions on what can be targeted, the system can be vulnerable to attacks such as system fingerprinting, internal port scanning, Server Side Request Forgery (SSRF), or remote code execution (RCE).

Note: In Remedy AR System, the BIRT reporting tools have been replaced by BMC Remedy Smart Reporting; however, Remedy AR System still includes BIRT reporting tools to provide support for customers who are still using them.

Remedy Mid Tier 9.1.03.001 with the latest hotfix or version 9.1.04 or later

No CVE

CVSS v3.0: 0.0

Internal Path Disclosure—It is possible to disclose the internal document root path for Remedy AR System through the exposed BIRT Report Design Engine.


Remedy Mid Tier 9.1.03.001 with the latest hotfix or version 9.1.04 or later

CVE-2017-17678

CVSS v3.0: 5.4

Cross-site Scripting (XSS)—A DOM-based cross-site scripting vulnerability was discovered in a legacy utility.

Remedy Mid Tier 9.1.03.001 with the latest hotfix or version 9.1.04 or later

No CVE

CVSS v3.0: 5.4

Cross-Site Script Inclusion (XSSI) —Because Remedy AR System uses dynamically generated JavaScript to provide environmental variables for users, this script could be included by a malicious third-party site and used to steal the CSRF token.

Remedy Mid Tier 9.1.03.001 with the latest hotfix or version 9.1.04 or later

(Note: This security vulnerability was fixed in Remedy Mid Tier 9.1.00.002 with the latest hotfix.)

CVE-2017-17675

CVSS v3.0: 5.5

Log hijacking—Remote logging can be accessed by unauthenticated users, allowing for an attacker to hijack the system logs. This data can include user names and HTTP data.

Remedy Mid Tier 9.1.03.001 with the latest hotfix or version 9.1.04 or later

No CVE

CVSS v3.0: 4.2

Session token disclosure—Remedy Mid Tier uses an HTTP GET parameter that contains the user's current session token.

Remedy Mid Tier 9.1.03.001 with the latest hotfix or version 9.1.04 or later

CVE-2017-17677

CVSS v3.0: 9.9

Authenticated code execution—Authenticated users that have the right to create reports can use BIRT templates to run code.

Remedy AR System 9.1.03.001 with the latest hotfix or version 9.1.04 or later

Downloading and applying the security vulnerability fixes

Depending on your current version of Remedy AR system, you can either apply a hotfix or install the latest version of Remedy AR System or Remedy Mid Tier. To apply the hotfix, download the file from ftp://ftp.bmc.com/pub/ARRecommendedFixes/SecurityVulnerabiltyFixes/9.1SP3P1/ according to the following table:

For the latest version of Remedy AR System and Remedy Mid Tier, see the Remedy AR System Release notes and notices page.


Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Shayne Froelich

    The readme for the Mid-tier mentions that we need to import a .def file from the Midtier_security_vulnerabilities.rar file. I have downloaded and unzipped the Mid-Tier hotfix from the link above, but there is no .rar file anywhere to be found. Where are we supposed to get the reportform.def file from since it is not in the zip file?

    Mar 20, 2018 01:20
  2. Sandy Reid

    Hello Shayne,

    We apologize for the error. The Midtier_security_vulnerabilities.rar file is a separate file in the 9.1SP3P1 FTP folder. The instruction has been corrected.

    Sandy

    Mar 20, 2018 04:23