Security Alerts Remote Code Execution Flaw Found in IBM QRadar

Saturday, May 5, 2018

Three vulnerabilities were discovered in IBM’s QRadar product that can be combined to allow a remote unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges. QRadar is IBM’s enterprise Security Information and Event Management (SIEM) product designed to help security analysts identify sophisticated threats on their networks.

The vulnerability has been assigned CVE-2018-1418 and was given a score of 5.6 but an advisory issued by NIST’s National Vulnerability Database (NVD) shows a score of 9.8 which indicates a “critical” severity rating.

According to security researchers who discovered the flaw, QRadar has a built-in application for performing forensic analysis on files. While the application is disabled in the Community Edition, the code is there and part of it still works. The application consists of two components: a Java servlet and the main component, which uses PHP. The first component is affected by a vulnerability that can be exploited to bypass authentication, while the second has a flaw that can be leveraged to download and execute a shell.

According to IBM, the security holes impact QRadar SIEM 7.3.0 to 7.3.1 Patch 2, and QRadar SIEM 7.2.0 to 7.2.8 Patch 11. Users are urged to upgrade to the following versions: 7.3.1 Patch 3 and 7.2.8 Patch 12.