HCL DX vendor “failed to reproduce” allegedly critical vulnerabilities


The bug disclosure process in HCL DX – formerly WebSphere Portal – has apparently gone awry

HCL Digital Experience (DX), a platform for building and managing web portals, contains multiple vulnerabilities that could potentially lead to remote code execution (RCE), the researchers said.

However, the vendor, HCL Technologies, said it couldn’t reproduce the bugs – all server-side request forgery (SSRF) faults – according to a blog post posted by the Australian attack surface management company. Assetnote.

Assetnote also said that HCL Technologies, a CVE numbering authority, has refused to file CVEs until corrective actions are available.

WebSphere Portal

HCL DX was known as WebSphere Portal and Web Content Manager until HCL Technologies, an Indian multinational IT company, bought the software from IBM in 2019.

HCL Technologies lists the New York State Senate, Bank of Canada, and MidMichigan Health among platform users.

Assetnote researchers detected approximately 3,000 instances of the platform that were accessible on the Internet.

The suspected vulnerabilities affect Websphere Portal 9 and potentially newer versions, according to Assetnote.

“Extremely naive”

Shubham Shah, co-founder and CTO of Assetnote, wrote that the researchers “turned a bad restrictive SSRF into a good SSRF” after discovering an endpoint that allowed them to redirect requests to an arbitrary URL, by smuggling this “redirect gadget” into the original SSRF payload and open a diagram in a new tab.

After accessing the source code, Shah said the researchers “found something that seemed extremely naive and frankly we couldn’t understand why it existed in the first place”: a web proxy system deployed by default but limited to some “trusted” sites. .

Learn about the latest corporate security news

One of those trusted endpoints – http://www.redbooks.ibm.com/* – was running Lotus Domino to deliver content to users. [It] turns out, you can type on any Lotus Domino page to cause a URL redirect to the URL specified in the parameter, ”Shah said.

As a result, an attacker could “pivot to the internal network and / or request cloud metadata endpoints to obtain cloud credentials,” according to a security advisory published by Assetnote.

Unauthenticated attackers could also execute a command by downloading a malicious zip file which, when extracted, is vulnerable to directory traversal and therefore arbitrary file downloading, Shah said.

“If for some reason a user is able to script or adjust an existing script, then RCE is possible,” Shah said.

Disclosure Schedule

Assetnote said it disclosed its findings to HCL Technologies on September 5, informing them that they intended to publicly disclose the research on December 5, in accordance with its 90-day responsible disclosure policy.

After acknowledging that first contact on September 7, the publisher then indicated on November 8 that it had not been able to reproduce the vulnerabilities, according to the Assetnote timeline.

Shah asserted that HCL Technologies said on November 23 – its most recent submission – that if it did, “HCL Technologies will cite you as an irresponsible party of vulnerability disclosure to the communities we publish to.”

After several reminders about the 90-day disclosure, Assetnote finally published the notice on December 25 and a blog post on December 26.


Shah said WAF rules cannot be invoked to prevent exploitation of loopholes. Instead, he advised users to modify all files in their Websphere Portal installation so that no origin is whitelisted and remove a number of folders as discussed in the blog post, provided that their functionality is not required.

The WebSphere Portal attack surface “is large and diverse” and “there are still many other vulnerabilities to be discovered,” he added.

Shah of Assetnote said The daily sip on December 29, he had nothing to add to his published blog post at the moment.

HCL Technologies has yet to answer our follow-up questions, but we’ll update the article if and when they do.

ADVISED Swig Security Review 2021 – Part I


About Author

Comments are closed.