Websphere Portal 9 and potentially newer releases are vulnerable to server-side request forgery, which allows attackers to request arbitrary URLs and read the full HTTP response for these requests.
Numerous SSRF vulnerabilities exist in Websphere Portal that can be exploited without any authentication.
Additionally, Websphere Portal is also vulnerable to post-authenticate command execution, through uploading a Zip file which when extracted is vulnerable to directory traversal.
An attacker can request arbitrary URLs on behalf of the Websphere Portal server. This could allow an attacker to pivot to the internal network and/or request cloud metadata endpoints to obtain cloud credentials. Users with post-authentication access can achieve RCE by uploading a malicious Zip file.
Websphere Portal 9 and potentially newer releases
WebSphere Portal is an enterprise software used to build and manage web portals. It provides access to web content and applications, while delivering personalized experiences for users. The WebSphere Portal package is a component of WebSphere application software.
We suggest that you modify all of the <span class="code_single-line">proxy-config.xml</span> files in your Websphere Portal installation so that no origins are whitelisted.
Additionally, if the functionality is not necessary for your installation of Websphere Portal, remove the following folders:
WebSphere/wp_profile/config/cells/dockerCell/applications/PA_WCM_Authoring_UI.earDo not rely on WAF rules to prevent exploitation of this issue. There are a number of ways to reach these endpoints that WAF rules may not sufficiently cover.
An advisory from HCL Technologies can be found here.
Post authentication RCE details can be found here
The blog post detailing the steps taken for the discovery of this vulnerability can be found here.
Assetnote Security Research Team
The timeline for this disclosure process can be found below:
- Sept 5th, 2021: Disclosure of SSRFs and Post Auth RCE (6 reports)
- Sept 7th, 2021: Initial response from HCL Technologies stating that the reports have been submitted to product teams
- Oct 5th, 2021: Sent a reminder that 30 days have lapsed and 60 days remain as per our responsible disclosure policy
- Oct 5th, 2021: Response stating that they will follow up with the team analyzing the vulnerabilities
- Nov 8th, 2021: Sent a reminder that 60 days have lapsed and 30 days remain as per our responsible disclosure policy
- Nov 8th, 2021: Response stating that they could not reproduce any of our findings, reminding us that we cannot claim CVEs for any of these issues as they are a CNA
- Nov 8th, 2021: Sent a request for CVEs to HCL Technologies for the issues identified - received no response
- Nov 20th, 2021: Sent another request for CVEs to HCL Technologies and reminded them that we will be publishing after the 90 day deadline (Dec 5th)
- Nov 23rd, 2021: Response stating that CVEs wont be filed until remediation steps are available
- Nov 23rd, 2021: Sent a reminder that we will be publishing after 90 day deadline, without CVEs available
- Nov 23rd, 2021: Response stating that if we publish any information about these vulnerabilities, <span class="code_single-line">HCL technologies will cite you as in irresponsible vulnerability disclosure party to the communities that we post to</span>
- Nov 23rd, 2021: Sent a reminder that we are following our 90 day disclosure policy as stated upon initial report
- Dec 3rd, 2021: Sent a reminder that 90 day deadline ends on Dec 5th
No response since Nov 23rd.