Flexera InstallAnywhere CVE-2016-4560 Local Code Execution Vulnerability

Flexera InstallAnywhere is prone to a local arbitrary code-execution vulnerability because it fails to sanitize user-supplied input.

A local attacker can exploit these issues to execute arbitrary code in the context of the user running the affected application.

Information

Bugtraq ID: 90979
Class: Unknown
CVE: CVE-2016-4560

Remote: No
Local: Yes
Published: May 24 2016 12:00AM
Updated: Oct 10 2018 10:00AM
Credit: AusCERT
Vulnerable: IBM WebSphere MQ File Transfer Edition 7.0.4
IBM WebSphere MQ File Transfer Edition 7.0.3
IBM WebSphere MQ File Transfer Edition 7.0.0.4
IBM WebSphere MQ File Transfer Edition 7.0.0.0
IBM WebSphere MQ File Transfer Edition 7.0
IBM Websphere Mq Explorer 8.0 1
IBM Websphere Mq Explorer 7.5 .0
IBM Websphere Mq Explorer 8.0.0.0
IBM Websphere Mq Explorer 7.5.0.4
IBM Websphere Mq Explorer 7.5.0.3
IBM Websphere Mq Explorer 7.5.0.2
IBM Websphere Mq Explorer 7.5.0.1
IBM Websphere Mq Explorer 7.0.1.5
IBM WebSphere MQ Explore 8.0.0.4
IBM WebSphere MQ Explore 8.0.0.3
IBM WebSphere MQ Evaluation 8.0.0.4
IBM WebSphere MQ Evaluation 8.0.0.0
IBM WebSphere MQ Evaluation 7.5.0.6
IBM WebSphere MQ Evaluation 7.5.0.0
IBM WebSphere MQ Evaluation 7.1.0.7
IBM WebSphere MQ Evaluation 7.1.0.0
IBM Websphere MQ Advanced Message Security 7.0.1 3
IBM Websphere MQ Advanced Message Security 7.0.1.0
IBM WebSphere MQ 7.1 1
IBM WebSphere MQ 7.0.1 9
IBM WebSphere MQ 7.0.1 8
IBM WebSphere MQ 7.0.1 7
IBM WebSphere MQ 7.0.1 6
IBM WebSphere MQ 7.0.1 .2
IBM WebSphere MQ 7.0.1 .1
IBM WebSphere MQ 7.0.1
IBM WebSphere MQ 7.0 2
IBM WebSphere MQ 6.0.2 6
IBM WebSphere MQ 6.0.2 .9
IBM WebSphere MQ 6.0.2 .7
IBM WebSphere MQ 6.0.2 .6
IBM WebSphere MQ 6.0.2 .5
IBM WebSphere MQ 6.0.2 .4
IBM WebSphere MQ 6.0.2 .3
IBM WebSphere MQ 6.0.2 .2
IBM WebSphere MQ 6.0.2 .1
IBM WebSphere MQ 6.0.1 .1
IBM WebSphere MQ 6.0.1
IBM WebSphere MQ 5.3.1
IBM WebSphere MQ 5.3 .0.6
IBM WebSphere MQ 5.3 .0.5
IBM WebSphere MQ 5.3 .0.1
IBM WebSphere MQ 5.3
IBM WebSphere MQ 8.0.0.4
IBM WebSphere MQ 8.0.0.3
IBM WebSphere MQ 8.0.0.2
IBM WebSphere MQ 8.0.0.1
IBM WebSphere MQ 8.0.0.0
IBM WebSphere MQ 7.5.0.6
IBM WebSphere MQ 7.5.0.5
IBM WebSphere MQ 7.5.0.4
IBM WebSphere MQ 7.5.0.3
IBM WebSphere MQ 7.5.0.2
IBM WebSphere MQ 7.5.0.1
IBM WebSphere MQ 7.5
IBM WebSphere MQ 7.1.0.7
IBM WebSphere MQ 7.1.0.6
IBM WebSphere MQ 7.1.0.5
IBM WebSphere MQ 7.1.0.4
IBM WebSphere MQ 7.1.0.3
IBM WebSphere MQ 7.1.0.2
IBM WebSphere MQ 7.1
IBM WebSphere MQ 7.0.4.3
IBM WebSphere MQ 7.0.4.2
IBM WebSphere MQ 7.0.4.1
IBM WebSphere MQ 7.0.4
IBM WebSphere MQ 7.0.3
IBM WebSphere MQ 7.0.2
IBM WebSphere MQ 7.0.1.5
IBM WebSphere MQ 7.0.1.4
IBM WebSphere MQ 7.0.1.3
IBM WebSphere MQ 7.0.1.13
IBM WebSphere MQ 7.0.1.12
IBM WebSphere MQ 7.0.1.11
IBM WebSphere MQ 7.0.1.10
IBM WebSphere MQ 7.0.1.0
IBM WebSphere MQ 7.0.0.1
IBM WebSphere MQ 7.0.0.0
IBM WebSphere MQ 6.0.2.8
IBM WebSphere MQ 6.0.2.10
IBM WebSphere MQ 6.0.2.0
IBM WebSphere MQ 6.0.1.0
IBM WebSphere MQ 6.0.0.0
IBM WebSphere MQ 5.3.1.10
IBM WebSphere MQ 5.3 Fp 13
IBM WebSphere MQ 5.3 Fix Pack 14
IBM WebSphere MQ 5.3
IBM Watson Explorer Annotation Administration Console 11.0.0.3
IBM Watson Explorer Annotation Administration Console 11.0.0.2
IBM Watson Explorer Annotation Administration Console 11.0.0.0
IBM Watson Explorer Annotation Administration Console 10.0.0.2
IBM Watson Explorer Annotation Administration Console 10.0
IBM Watson Explorer Analytical Components 11.0.0.3
IBM Watson Explorer Analytical Components 11.0.0.1
IBM Watson Explorer Analytical Components 11.0.0.0
IBM Watson Explorer Analytical Components 10.0.0.2
IBM Watson Explorer Analytical Components 10.0
IBM Watson Content Analytics 3.5.0.3
IBM Watson Content Analytics 3.5.0.2
IBM Watson Content Analytics 3.5
IBM Watson Content Analytics 3.0.0.6
IBM Watson Content Analytics 3.0.0.5
IBM Watson Content Analytics 3.0
IBM Watson Content Analytics 2.2.0.3
IBM Watson Content Analytics 2.2
IBM Watson Content Analytics 2.1.0.2
IBM Watson Content Analytics 2.1
IBM Tivoli Storage Productivity Center 5.2.6
IBM Tivoli Storage Productivity Center 5.2.5
IBM Tivoli Storage Productivity Center 5.2.2
IBM Tivoli Storage Productivity Center 5.2.1 0
IBM Tivoli Storage Productivity Center 5.2
IBM Tivoli Storage Productivity Center 5.1.1 3
IBM Tivoli Storage Productivity Center 5.1.1
IBM Tivoli Storage Productivity Center 5.1
IBM Tivoli Storage Productivity Center 4.2.2
IBM Tivoli Storage Productivity Center 4.1.1
IBM Tivoli Storage Productivity Center 4.1
IBM Tivoli Storage Productivity Center 3.3
IBM Tivoli Storage Productivity Center 5.2.7
IBM Tivoli Storage Productivity Center 5.2.4
IBM Tivoli Storage Productivity Center 5.2.3
IBM Tivoli Storage Productivity Center 5.1.1.9
IBM Tivoli Storage Productivity Center 5.1.1.8
IBM Tivoli Storage Productivity Center 5.1.1.7
IBM Tivoli Storage Productivity Center 5.1.1.6
IBM Tivoli Storage Productivity Center 5.1.1.5
IBM Tivoli Storage Productivity Center 5.1.1.4
IBM Tivoli Storage Productivity Center 5.1.1.2
IBM Tivoli Storage Productivity Center 5.1.1.1
IBM Tivoli Storage Productivity Center 4.2.1
IBM Tivoli Storage Productivity Center 4.2.0
IBM Tivoli Storage Manager Administration Center 6.3.5.0
IBM Tivoli Storage Manager Administration Center 6.3
IBM Tivoli Storage Manager Administration Center 6.2
IBM Tivoli Storage Manager Administration Center 6.1
IBM Tivoli Monitoring for Tivoli Storage Manager 6.3.5.0
IBM Tivoli Monitoring for Tivoli Storage Manager 6.3.0.0
IBM Tivoli Monitoring for Tivoli Storage Manager 6.2
IBM Tivoli Monitoring for Tivoli Storage Manager 6.1
IBM Tivoli Monitoring for Tivoli Storage Manager 5.5
IBM Tivoli Asset Discovery for Distributed 7.5
IBM Tivoli Asset Discovery for Distributed 7.2
IBM Sterling Connect:Direct FTP+ 1.3
IBM Sterling Connect:Direct FTP+ 1.2
IBM Sterling Connect:Direct FTP+ 1.1
IBM Spectrum Control 5.2.9
IBM Spectrum Control 5.2.8
IBM Security AppScan Source 9.0.3
IBM Security AppScan Source 9.0.2
IBM Security AppScan Source 9.0.1
IBM Security AppScan Source 9.0
IBM Security AppScan Source 8.8
IBM Security AppScan Source 8.7
IBM SDK for Node.js 6.1.0.0
IBM SDK for Node.js 4.4.4.0
IBM SDK for Node.js 1.2.0.12
IBM SDK for Node.js 1.1.1.1
IBM Predictive Insight 9.0
IBM Predictive Insight 8.6
IBM Predictive Insight 8.5
IBM Marketing Platform 9.1.2
IBM Marketing Platform 9.1.1
IBM Marketing Platform 9.1 1
IBM Marketing Platform 8.5 2
IBM Marketing Platform 8.5 1
IBM Marketing Platform 9.1.0.2
IBM Marketing Platform 9.1.0.0
IBM Marketing Platform 9.1 Fix Pack 2
IBM Marketing Platform 9.1
IBM Marketing Platform 9.0.0.2
IBM Marketing Platform 9.0.0.1
IBM Marketing Platform 9.0.0.0
IBM Marketing Platform 8.6.0.6
IBM Marketing Platform 8.6.0.5
IBM Marketing Platform 8.6.0.4
IBM Marketing Platform 8.6.0.3
IBM Marketing Platform 8.6.0.2
IBM Marketing Platform 8.6.0.1
IBM Marketing Platform 8.6.0.0
IBM Marketing Platform 8.5.0.7
IBM Marketing Platform 8.5.0.6
IBM Marketing Platform 8.5.0.5
IBM Marketing Platform 8.5.0.3
IBM Marketing Platform 8.5.0.0
IBM Marketing Operations 9.1.2
IBM Marketing Operations 9.1.1
IBM Marketing Operations 9.1
IBM Marketing Operations 9.0
IBM Marketing Operations 8.6
IBM Marketing Operations 8.5
IBM License Metric Tool 7.5
IBM License Metric Tool 7.2.2
IBM Leads 9.1
IBM Leads 9.0
IBM Leads 8.6
IBM Leads 8.5
IBM Interact 9.1.2
IBM Interact 9.1
IBM Interact 8.5
IBM InfoSphere Optim pureQuery Runtime 3.3
IBM InfoSphere Optim Performance Manager for DB2 on Windows 5.3.1
IBM InfoSphere Optim Performance Manager for DB2 on Windows 5.1.1
IBM InfoSphere Optim Performance Manager for DB2 on Windows 5.3
IBM InfoSphere Optim Performance Manager for DB2 on Windows 5.2
IBM InfoSphere Optim Performance Manager for DB2 on Windows 5.1.1.1
IBM InfoSphere Optim Performance Manager for DB2 on UNIX 5.3.1
IBM InfoSphere Optim Performance Manager for DB2 on UNIX 5.1.1
IBM InfoSphere Optim Performance Manager for DB2 on UNIX 5.3
IBM InfoSphere Optim Performance Manager for DB2 on UNIX 5.2
IBM InfoSphere Optim Performance Manager for DB2 on UNIX 5.1.1.1
IBM InfoSphere Optim Performance Manager for DB2 on Linux 5.3.1
IBM InfoSphere Optim Performance Manager for DB2 on Linux 5.1.1
IBM InfoSphere Optim Performance Manager for DB2 on Linux 5.3
IBM InfoSphere Optim Performance Manager for DB2 on Linux 5.2
IBM InfoSphere Optim Performance Manager for DB2 on Linux 5.1.1.1
IBM InfoSphere Optim High Performance Unload for DB2 5.1.0.1
IBM InfoSphere Optim Configuration Manager 2.1
IBM InfoSphere Data Replication for Non-Production Environments 10.2.1
IBM InfoSphere Data Replication for Non-Production Environments 10.1.3
IBM InfoSphere Data Replication for Netezza 11.3
IBM InfoSphere Data Replication for Netezza 10.2.1
IBM InfoSphere Data Replication for Netezza 10.2
IBM InfoSphere Data Replication for Netezza 10.1.3
IBM InfoSphere Data Replication for Netezza 10.1.2
IBM InfoSphere Data Replication for Database Migration 11.3.3
IBM InfoSphere Data Replication for Database Migration 10.2.1
IBM InfoSphere Data Replication for Database Migration 10.1.3
IBM InfoSphere Data Replication for Apache Hadoop 11.3.3
IBM Infosphere Data Replication 11.3.3
IBM Infosphere Data Replication 11.3
IBM Infosphere Data Replication 10.2.1
IBM Infosphere Data Replication 10.2
IBM Infosphere Data Replication 10.1.3
IBM Infosphere Data Replication 10.1.2
IBM Infosphere Data Replication 10.1.1
IBM Infosphere Data Replication 10.1
IBM Informix Dynamic Server 12.10
IBM Informix Dynamic Server 11.7
IBM Informix Dynamic Server 11.5
IBM Informix CSDK 4.10
IBM Informix CSDK 3.70
IBM Informix CSDK 3.50
IBM FileNet eProcess 5.2
IBM FileNet Content Manager 5.2.1
IBM FileNet Content Manager 5.2.0
IBM FileNet Content Manager 5.1.0
IBM FileNet Business Process Manager 5.0
IBM FileNet Business Process Manager 4.5.1
IBM Endpoint Manger for Software Use Analysis 2.2
IBM eDiscovery Manager 2.2.1
IBM eDiscovery Manager 2.2.2
IBM eDiscovery Manager 2.2
IBM Distributed Marketing 9.1.2
IBM Distributed Marketing 9.1
IBM Distributed Marketing 9.0
IBM Distributed Marketing 8.6
IBM Distributed Marketing 8.5
IBM DB2 Recovery Expert for Linux, UNIX and Windows 4.1
IBM DB2 Recovery Expert for Linux, UNIX and Windows 3.1
IBM DB2 Merge Backup for Linux UNIX and Windows 2.1.0.1
IBM Data Server Runtime Client 9.7
IBM Data Server Runtime Client 10.5
IBM Data Server Runtime Client 10.1
IBM Data Server Driver Package 9.7
IBM Data Server Driver Package 10.5
IBM Data Server Driver Package 10.1
IBM Daeja ViewONE 4.1.5
IBM Daeja ViewONE 4.1.4
IBM Daeja ViewONE 4.1.3
IBM Daeja ViewONE 4.1.2
IBM Daeja ViewONE 4.1.0.1.0
IBM Daeja ViewONE 4.1
IBM Content Foundation 5.2.1
IBM Content Foundation 5.2.0
IBM Content Collector for SAP Applications 3.0
IBM Content Collector for SAP Applications 2.2
IBM Contact Optimization 9.1.2
IBM Contact Optimization 9.1.1
IBM Contact Optimization 9.1 0
IBM Contact Optimization 9.1
IBM Contact Optimization 9.1.0.4
IBM Contact Optimization 9.1
IBM Contact Optimization 9.0
IBM Contact Optimization 8.6
IBM Contact Optimization 8.5
IBM Campaign 9.1.2
IBM Campaign 9.1.1
IBM Campaign 9.1 1
IBM Campaign 9.1 0
IBM Campaign 9.1
IBM Campaign 9.1.0.4
IBM Campaign 9.1
IBM Campaign 9.0
IBM Campaign 8.6
IBM Campaign 8.5
Flexera InstallAnywhere 0

Not Vulnerable: IBM Tivoli Storage Productivity Center 5.2.10
IBM Tivoli Storage Productivity Center 5.1.1.10
IBM Sterling Connect:Direct FTP+ 1.1.15 Fix 11
IBM Sterling Connect:Direct FTP+ 1.3.0.iFix004
IBM Sterling Connect:Direct FTP+ 1.2.0.iFix007
IBM Spectrum Control 5.2.10
IBM SDK for Node.js 6.2.0.0
IBM SDK for Node.js 4.4.5.0
IBM SDK for Node.js 1.2.0.13
IBM SDK for Node.js 1.1.1.2

Exploit

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: http://.

References:

• Installanywhere Homepage (Flexera)
  
• ESB-2016.1299 - [Win] IBM Watson Explorer and Watson Content Analytics: Execute (AUSCERT)
  
• IBM Sterling Connect:Direct FTP+ for Windows installers are vulnerable to attack (IBM)
  
• Security Bulletin: Various IBM WebSphere MQ Installers are susceptible to DLL-pl (IBM)
  
• swg21980209: Security Bulletin: Vulnerabilities in IBM FileNet Content Manager a (IBM)
  
• swg21982743:Vulnerability in InstallAnywhere affects IBM Content Collector for S (IBM)
  
• swg21983037: Security Bulletin:InstallAnywhere generates installation executable (IBM)
  
• swg21983156: Security Bulletin: Current Releases of IBM® SDK for Node.jsâ?¢ are af (IBM)
  
• swg21983503:Vulnerability in InstallAnywhere affects IBM License Metric Tool v7. (IBM)
  
• swg21983538: InstallAnywhere generates installation executables which are vulner (IBM)
  
• swg21983753:Vulnerability in Flexera InstallAnywhere affects Watson Explorer and (IBM)
  
• swg21983785:Vulnerability in InstallAnywhere affects IBM Omni-Channel Marketing (IBM)
  
• swg21984067: Vulnerability in InstallAnywhere affects IBM InfoSphere Optim Perfo (IBM)
  
• swg21984082: Security Bulletin: Vulnerability in Flexera InstallAnywhere affects (IBM)
  
• swg21984231: Security Bulletin: Vulnerability in InstallShield/InstallAnywhere a (IBM)
  
• swg21984310:Vulnerability in InstallAnywhere affects IBM InfoSphere Change Data (IBM)
  
• swg21984311: Vulnerabilities in Flexera InstallShield and InstallAnywhere affect (IBM)
  
• swg21984799:InstallAnywhere Vulnerability affects Daeja ViewONE Professional, St (IBM)
  
• swg21984949: Vulnerability in InstallAnywhere affects IBM Tivoli Monitoring for (IBM)
  
• swg21985002 : Vulnerability in InstallAnywhere affects DB2 Recovery Expert, DB2 (IBM)
  
• swg21985483: Vulnerability in InstallAnywhere affects IBM Tivoli Storage Manager (IBM)
  

Source: www.securityfocus.com