MFSBGN03798 rev.1 - Micro Focus Universal CMDB, Apache Struts Instance

Vulnerability

An arbitrary code execution vulnerability exists in Micro Focus Universal CMDB versions 4.10, 4.11, and 4.12. The flaw resides within an Apache Struts instance integrated into the UCMDB Configuration Manager component, as documented in the security bulletin [1]. The exact component within the UCMDB product is not further specified, but the vector is remotely exploitable without authentication [1].

Exploitation

An attacker can exploit this vulnerability remotely over the network. The CVSS v3 attack vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that while the attack complexity is high (some specialized conditions or configuration may be required), no privileges or user interaction are needed [1]. The specific steps are not detailed in the available references, but the vector suggests network-based input to the Apache Struts instance suffices.

Impact

Successful exploitation results in arbitrary code execution on the affected server. The CVSS v3 confidentiality, integrity, and availability impacts are all rated High [1]. An attacker can fully compromise the UCMDB server, gaining the ability to execute arbitrary commands with the privileges of the UCMDB service account.

Mitigation

Micro Fixed has released a fix. The security bulletin (Document ID KM03086019) from 21-Feb-2018 provides remediation guidance [1]. Users are advised to apply the vendor-supplied patch or update to a fixed version beyond 4.12. No workarounds are disclosed in the available reference.