JSP Code Execution Flaw in IBM and Lenovo Networking Products
CVE-2015-7818

Currently unrated

Key Information:

Vendor: IBM
Status: System Networking Switch Center
Vendor: CVE Published:; 12 November 2015

Summary

The administration-panel web service in IBM System Networking Switch Center and Lenovo Switch Center versions prior to the specified updates allows unauthorized local users to execute arbitrary JSP code. This can be achieved using the Apache Axis AdminService deployment method to upload a malicious .jsp file, granting SYSTEM privileges which may lead to further exploitation of the system.

References

http://www.zerodayinitiative.com/advisories/ZDI-15-551/

x_refsource_MISC

https://support.lenovo.com/us/en/product_security/len_201...

x_refsource_CONFIRM

Timeline

Vulnerability published
Nov 12, 2015
Vulnerability Reserved
Oct 14, 2015