Summary IBM Security AppScan Standard can be affected a vulnerability in the update process that could allow remote code injection. Vulnerability Details CVE ID: CVE-2014-0904 DESCRIPTION: The update process in AppScan Standard can download updates without performing an integrity check on the file being downloaded. This could lead to the execution of untrusted code on affected systems. The attack does not require local network access nor does it require authentication, but a high degree of specialized knowledge and techniques are required. An exploit can affect the availability of the system, the confidentiality of information and the integrity of data. CVSS: CVSS Base Score: 7.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91536 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) Affected Products and Versions IBM Security AppScan Standard 8.8 IBM Security AppScan Standard 8.7 IBM Security AppScan Standard 8.6 IBM Rational AppScan Standard 8.5 IBM Rational AppScan Standard 8.0 IBM Rational AppScan Standard 7.9 Remediation/Fixes Vendor Fix: A change has been made to the AppScan Standard update server that no longer allows the downloading of untrusted files. Workarounds and Mitigations Verify that the Domain Name System (DNS) entry has not been modified and no unauthorized applications are installed/running on the system where AppScan Standard is installed. References Complete CVSS Guide On-line Calculator V2 CVE-2014-0904 http://xforce.iss.net/xforce/xfdb/91536 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 10 March 2014 - Initial publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.