Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

       Security Bulletin: IBM Maximo Asset Management is vulnerable
                  to Privilege Escalation (CVE-2019-4530)
                             20 November 2019


        AusCERT Security Bulletin Summary

Product:           IBM Maximo Asset Management
Publisher:         IBM
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Delete Arbitrary Files -- Existing Account
                   Increased Privileges   -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-4530  

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Maximo Asset Management is vulnerable to Privilege Escalation

Security Bulletin


IBM Maximo Asset Management could allow an authenticated user to delete a
record that they should not normally be able to.

Vulnerability Details

CVEID: CVE-2019-4530
DESCRIPTION: IBM Maximo Asset Management could allow an authenticated user to
delete a record that they should not normally be able to.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
165586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

|Affected Product(s)        |Version(s)|
|IBM Maximo Asset Management|7.6.0     |
|IBM Maximo Asset Management|7.6.1     |
|IBM Maximo Asset Management|   |


Please refer to Workarounds and Mitigations

Workarounds and Mitigations

The MXAPIPWODETAIL object structure provides information on work order records
in Maximo. While work center users need access to read, insert, and save work
orders using this object structure, they do not need access to delete work
orders. The APAR fix removes the DELETE authorization for the MXAPIWODETAIL
object structure from the TECHNICIAN and SUPERVISOR templates.

While this fix ensures that incorrect access settings are not applied to any
future groups, it does not revoke the existing delete access that was
previously granted by the templates. You must remove access to the DELETE
authorization in the MXAPIWODETAIL object structure for all groups that are
linked to either the SUPERVISOR or TECHNICIAN templates.

To remove the existing delete access, perform the following steps for each
group that is linked to either the SUPERVISOR or TECHNICIAN templates:

1. Open the Security Groups application.
2. Find the group that is linked to either the SUPERVISOR or TECHNICIAN
templates and open it.
3. Click the Object Structures tab.
4. In the Object Structures table, find the MXAPIWODETAIL row and select it.
5. In the options table, uncheck the Grant Access check box for only the Delete
6. Save the record.

In versions of Maximo Asset Management prior to, you must also update
the TECHNICIAN and SUPERVISOR templates to remove the DELETE authorization for
the MXAPIWODETAIL object structure. However, you cannot modify out-of-the-box
templates by using the user interface. You must execute the following database
statement to remove the delete access:
delete from wctemplateauth where app = 'MXAPIWODETAIL' and workcenter in

Get Notified about Future Security Bulletins


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967