Errata: This is a correction of our previous disclosure email from September 23rd, 2015. Our previous posting implied that the security vulnerability we discovered was in the "BIRT Viewer" servlet itself. This is NOT the case, but rather the vulnerability is in how the "BIRT Viewer" was configured when embedded within the Remedy AR Reporting engine. ------------------------------------------------------------------------ File inclusion vulnerability caused by misconfiguration of "BIRT Viewer" servlet as used in BMC Remedy AR Reporting BMC Identifier: BMC-2015-0005 CVE Identifier: CVE-2015-5071 ------------------------------------------------------------------------ By BMC Application Security, SEP 2015 ------------------------------------------------------------------------ Vulnerability summary ------------------------------------------------------------------------ A security vulnerability has been identified in BMC Remedy AR Reporting. The vulnerability can be exploited remotely allowing navigation to any local or remote file. ------------------------------------------------------------------------ CVSS v2.0 Base Metrics ------------------------------------------------------------------------ Reference: CVE-2015-5071 Base Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N) Base Score: 4.0 ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ The flaw has been confirmed to exist in BMC Remedy AR 8.1 and 9.0. Earlier Versions may also be affected ------------------------------------------------------------------------ Resolution ------------------------------------------------------------------------ A hotfix as well as a workaround are available at https://kb.bmc.com/infocenter/index?page=content&id=KA429507 ------------------------------------------------------------------------ Credits ------------------------------------------------------------------------ Credit for discovery of this vulnerability: Stephan Tigges from tigges-security.de ------------------------------------------------------------------------ Reference ------------------------------------------------------------------------ CVE-2015-5071 Information about BMC's corporate procedure for external vulnerability disclosures is at http://www.bmc.com/security -----BEGIN PGP MESSAGE----- Version: GnuPG v2 owGtVl1sFFUUbkVadnErfSCm2sTbxiiadnfbUoHld7tpSdEW7K4bwwN6d/bOzqUz c4c7d/bHBDEqEjElTSCm2iYWIyYqJsqD1QS0iSb+NBEfKMRogjzQaoQYQGhNNXru bH/YUHkws9nszs+995zvnO985/QHlpQtK/+w8rORa1PTR8rHfkuVJav+GG7nHAsc CfgTGrURfDFSGOdEEZSZiKmIORxZnGQpc2yUpraiM9vhBBEDUx2pnBkoTixBjBTh qLmFpxtQc7ipNRjwb795p8VsQc0MooalU5JGQsMCfgiyieJwKgoo6+gm4ThFdXmX I64xliUcVucw+Ga66+vbOnsSKElJjvB62M2zOhGICpvoanABRvf2hLtcwTZpQClH IMCpgYvyYakp6p6tsdwi50vDCjNVmnFcPzRiIgk1nZZ3VGizXvUQg6QLKNoDVxbj LlRiZqhJwKeAv9GjT8DfQXUC7iq6Y8sElSJRsGODX6kCMmTsim7juUwuHjkA6G4C IG1dscWABPwo4JfvOtPEFFSlhEfk2kaZ58ZwONwa8MeS7SWv4b74ujW8pslL/G0F 182oBTRSitDiswxqQPH2HS75XI+9s5ksCbLtGAbmBS8NRP+rCjTITooA5+hcbG+X qKCLO3ELwRVswimI5C2dUQFHcGIwQfQCwrrOcpKrJs7STDGcgiFsFpDOFKwjxmcX IxWI5zGXY8l4HGWbg2HUBlWKuojgVLG9tNBDVNAPUyERn8vRmzkJXJJWkyB1jEd8 8hPwr4omI92haCzyeCjqROKhWGRHqFM+iXQ/jHzzm+KgkQREc3Uw7G1IoqoK/kCK QPdkgXsaDckMVce5BVq5GsENqccM+EFtcSu91gabgBBptC4YDgK92jEHAecQt6KD yMCSRzaTFMOz7ntcgD3EZroj2elt1WlMqDQvJTBHdF3+Y5RjvBdz5gBiDG0OZ6HN 4RSILhYuKk0Iy46EQr2pYMpQggozQtRUmQL1SThcpkl+s4UzZCPEVsDDB2l642PR 1c3rgHUehyUGLQka3/88cvT72xyKVKj8uQZckN1DyMZaoisRFBfE0kBcEjSTIXZx GBDudeOcoAXTxNsKmS9pb5WoRBogS52QU24UFRGnGMwPUBUPyWGAg9piEESLQ9LT chSSsSJ5SL8JilkqvQsDU3G4EkjyB+iTy+Xm+TMXq1fKa+8sK19WVrH0Djmalfl9 K+bmtcpLlX/XXD778eZfp8atTV+vf/Tt6OH6+7SD08vReHKr1fZP38y+mhhe8bmz b7Isf6ql+sfmUyd2PlB3dejuqsKWJZ2T4rgyeWX5kaN7jl2Ywf17Pynw4f1btefw 9RtPTo9Wf9OnqfTpZ34a6K8des1ceXFnQ4P95eCa6OHkR+ef3/XqhqqGGxcnaw6s P7/trqmJex/ZPXgl+sSJgauf1isvaC93vH/8hxd/EResserBk11r79l2SHljwyHf 75d3V1QfuNRy9iut4qX7ExP52Mh3b53sGLr+xbWx02eG2dFVfx1b2pt809eXPzh+ bvRM3f5MU8XPtROtozO73n1n5bPvVW2pe33kqT+Hzw2c/mDvpm/3/As= =tfHh -----END PGP MESSAGE-----