------------------------------------------------------------------------ File inclusion vulnerability in "BIRT Engine" servlet used in BMC Remedy AR Reporting BMC Identifier: BMC-2015-0006 CVE Identifier: CVE-2015-5072 ------------------------------------------------------------------------ By BMC Application Security, SEP 2015 ------------------------------------------------------------------------ Vulnerability summary ------------------------------------------------------------------------ A security vulnerability has been identified in BMC Remedy AR Reporting. The vulnerability can be exploited remotely allowing navigation to any file in the local file system. ------------------------------------------------------------------------ CVSS v2.0 Base Metrics ------------------------------------------------------------------------ Reference: CVE-2015-5072 Base Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N) Base Score: 4.0 ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ The flaw has been confirmed to exist in BMC Remedy AR 8.1 and 9.0. Earlier Versions may also be affected ------------------------------------------------------------------------ Resolution ------------------------------------------------------------------------ A hotfix as well as a workaround are available at https://kb.bmc.com/infocenter/index?page=content&id=KA429507 ------------------------------------------------------------------------ Credits ------------------------------------------------------------------------ Credit for discovery of this vulnerability: Stephan Tigges from tigges-security.de ------------------------------------------------------------------------ Reference ------------------------------------------------------------------------ CVE-2015-5072 Information about BMC's corporate procedure for external vulnerability disclosures is at http://www.bmc.com/security -----BEGIN PGP MESSAGE----- Version: GnuPG v2 owGtll9oHEUcx5OcJs3hoUWsUWwdE22a2vuTkKjdGtvLmUCISdu79PIihbm92bsh ezvLzOz9MZgElGIeTIyIhkgoCLZafSiNGMRSldKIrUGrUDQ+1D8U0VIsWmhK2uhv 7prq5cGn3Zedndn9/fn+Pr8f+4rPU7Gu8mjNibm/ri69VnnmYqIi7tna5Xfp8nm7 qEkQtXTTEZRZKOuYFuE4QU0qC7CP6ju6o/2o00pRi/w8OoME4VmTSOQIklTnHb0R FCUZkiwgnzcchbXNuKRWyueFDXXanSSWpAYlXFNv+1tCzW3+UCj0mM8biXeWHcNz 6bgt9HiLz+telh2FYqBh2zapjqXKNEZ0h0OS21Cscw9SXosRu+czXialcDIZzAtu OghDMUo5rClbGguUIMRCdFXb/y9VoJh5f5qssaNjC+wgkrdNRiUY4STDJDELCJsm y8GXyMJZmioJKhnCljJtlJBCEgyaTMcmKu6IgpAkA77c1CASj8VQtiUQQh1YENRL JKe6cNNDlBiEE0snWm0R2P8CCmApr3GiS8a1WnX5vFvCca0vGI5ozwTDjhYLRrQ9 wW61o/U1odpbH8V0xonm87YGQu5KEjYMiAeqlSVc9bSraihIDBPn/mVMZ5ZBOVCl ACB5KuQa1oC0JwLNwEYSbQ+EAgBIJ+Ym9DvoVgoQZbBCSjBFG74ZvsvdGCWCmY4C 1d0WTDNp0DwCNXLENNUdoxzjg5gzBzLGHDLKYmriBLQAlsWs0lLaQgsGBxOBREYP 6CwTpJbBdGhWwmGZJPmdNk6RdtBWwuZmmmzvCbe2bAfqXJYlwkmSSlcRKZlEBuMo SYXOAMMCYgaMAyrKB4yGYpLYaZgy/TSVIgIZnGWQLK79q7MtkCSuo3Czo90dRGWT AQLuhpLyTGk24gRzpGqKRgENw2HuYkmQzaHmSQcQUWKRPFTfgmlZPoR9XqWiyQS8 JxBFAJhEiiAAKJfL3SJoVa+xygduq6hcV1F9e5X6U6jw1t61+vsgjtUs17w6Mz99 4M/Nzst/f744Nt/4wo2Nha+fnV98Ozby1XuHth6o692wt6Ev6rE9v6ws1108db1h 79TwxsYPLu3y39P045H40IWn0guPejakV8aH33V6Wu+88e2mXfNP7n79+OTc/bE3 Z4598WLV/s9+iu+7u/pq88Ezo0c9KzsHf+jZ//Snv01MDjQOnK1+KxK/8OEnc9Oz 3kPWyEen2r6zr+RGTy4cPtf00IP2tktLw9cvT0wtRxp6g50H82PP7+s6PL7pnZbc 79N1s+MDQ30LPfWTL52+d8S5dvbX02QkvOP4+xNXqobOX17akp2cK7TJh0+eu+/7 2fPPfRz5o/6bN4KiPbA4fs1af+KOHY/s/nLqHw== =t+wt -----END PGP MESSAGE-----
