IBM Maximo 2020 security bulletin


MAXapps P10


The IBM Maximo Asset Management tool is designed for large companies that have assets to track, such as tools, spare parts and handle huge databases.

Those organizations rely on a network to share and gather information. Most authenticated users on the network will probably have some asset-related queries they’re allowed to make – looking up stock levels, delivery times, service schedules ...

IBM issues alerts to personnel managing these networks and the data flows they support so that potential security breaches can be handled effectively.

Here is a list of critical alerts for 2020, intended for IBM Maximo specialists and IT network supervisors.

Our development and integration team will update this list on an ongoing basis.



P10-1 Maximo security alert

1- Description:

The vulnerability CVE-2020-4529, found in versions 7.6.0 and 7.6.1 of IBM Maximo Asset Management software, is highly dangerous (CVSS score 7.3) and involves server-side request forgery (SSRF). With it, a logged-in attacker with low privileges can send an illegitimate request from the system in order to scan the network or develop other attacks.

One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker's workstation itself, if infected by a virus.

2- Affected product(s) and affected version(s):

The flaw impacts Maximo Asset Management 7.6.0 and 7.6.1 and possibly older versions

3- Remediation/Fixes:

Eliminating the vulnerability requires an update of IBM Maximo Asset Management software as well as related solutions and products to the latest versions. Recommended : Deployment of a web application firewall (such as to prevent exploitation of web vulnerabilities, combined with regular penetration testing and mandatory use of certificates or a VPN for access to internal systems.


Refer to the following reference URLs for remediation and additional vulnerability details:

Source Bulletin : https://www.ibm.com/support/pages/node/6220528



P10-2 Maximo security alert

1- Description:

IBM Maximo Asset Management is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

2- Affected product(s) and affected version(s):

This vulnerability affects the following versions of the IBM Maximo Asset Management core product.

IBM Maximo Asset Management 7.6.0

IBM Maximo Asset Management 7.6.1

Older versions of Maximo Asset Management may be impacted.

3- Remediation/Fixes:

The recommended solution is to upgrade to a new version or to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for each affected product as soon as possible.

For Maximo Asset Management 7.6.1.1 : https://www.ibm.com/support/fixcentral/7.6.1.1-TIV-MBS-IFIX007

For Maximo Asset Management 7.6.0.10 : https://www.ibm.com/support/fixcentral/7.6.0.10-TIV-MBS-IFIX013


Refer to the following reference URLs for remediation and additional vulnerability details:

Source Bulletin : https://www.ibm.com/support/pages/node/6238376



P10-3 Maximo security alert

1- Description:

IBM Maximo Asset Management is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. This affects some unknown processing of the component XML Data Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability (XXE). A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. No form of authentication is needed for exploitation

2- Affected product(s) and affected version(s):

This vulnerability affects the following versions of the IBM Maximo Asset Management core product.

IBM Maximo Asset Management 7.6.0

IBM Maximo Asset Management 7.6.1

Older versions of Maximo Asset Management may be impacted.

3- Remediation/Fixes:

The recommended solution is to upgrade to a new version or to download the appropriate Interim Fix or Fix Pack from Fix Central and apply for each affected product as soon as possible.

For Maximo Asset Management 7.6.1 : https://www.ibm.com/support/fixcentral/7.6.1.2-TIV-MAMMT-FP002


Refer to the following reference URLs for remediation and additional vulnerability details:

Source Bulletin : https://www.ibm.com/support/pages/node/6253953



Our development and integration team is at your service if you have any queries or need to audit your Maximo installations: Reach us

At iMaxeam, we do great addons for Maximo