MFSBGN03810 rev.1 - Universal CMDB, Deserialization Java Objects and CSRF

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in Micro Focus UCMBD Server, specifically in DDM Content Pack versions V 10.20, 10.21, 10.22, 10.22 CUP7, 10.30, 10.31, 10.32, 10.33, 10.33 CUP2, 11.0 and CMS Server version 2018.05 BACKGROUND. The vulnerability allows remote unsafe deserialization of Java objects. This issue can be triggered when a user visits a crafted web page [1].

Exploitation

An attacker can exploit this by luring a UCMBD user to click on a malicious link or visit a crafted webpage, leveraging CSRF to perform actions on behalf of the authenticated user. With the unsafe deserialization aspect, the attacker can inject malicious serialized Java objects to achieve code execution. No special network position is required beyond internet access. User interaction is required [1].

Impact

Successful exploitation could lead to arbitrary code execution with the privileges of the UCMBD server process. This can result in full compromise of the system, including disclosure, modification, or destruction of data, and potential lateral movement [1].

Mitigation

Micro Focus has released a security bulletin [1] with updates. Affected users should apply the patch or upgrade to a fixed version as indicated in the advisory. If no patch is yet available, restrict network access to the server and avoid exposing it to untrusted networks [1].