CVE-2025-36360
📋 TL;DR
This CVE describes a race condition vulnerability in IBM UrbanCode Deploy and DevOps Deploy where HTTP session client-IP binding enforcement can be bypassed. An attacker could briefly reuse a session from a new IP address before invalidation, potentially gaining unauthorized access. Affected users include organizations running vulnerable versions of IBM's deployment automation software.
💻 Affected Systems
- IBM UrbanCode Deploy
- IBM DevOps Deploy
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could hijack an active administrator session and gain unauthorized access to deployment systems, potentially modifying configurations, deploying malicious code, or accessing sensitive deployment credentials.
Likely Case
Limited session hijacking where an attacker might briefly access a user's session but would be quickly detected and invalidated, potentially accessing non-critical deployment information.
If Mitigated
With proper network segmentation and session monitoring, impact would be minimal - possibly brief unauthorized access to low-privilege user sessions that gets quickly terminated.
🎯 Exploit Status
Exploitation requires precise timing (race condition), network access to intercept sessions, and knowledge of active sessions. No public exploits have been reported.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IBM UrbanCode Deploy 7.1.2.28, 7.2.3.21, 7.3.2.16; IBM DevOps Deploy 8.0.1.11, 8.1.2.4
Vendor Advisory: https://www.ibm.com/support/pages/node/7254661
Restart Required: Yes
Instructions:
1. Download the appropriate fix pack from IBM Fix Central. 2. Backup your current installation. 3. Stop the UrbanCode/DevOps Deploy server. 4. Apply the fix pack according to IBM documentation. 5. Restart the server. 6. Verify the update was successful.
🔧 Temporary Workarounds
Session Timeout Reduction
allReduce HTTP session timeout values to minimize the window where session hijacking could occur
Modify server.xml to set session-timeout to a lower value (e.g., 15 minutes)
Network Segmentation
allRestrict network access to UrbanCode/DevOps Deploy servers to trusted IP ranges only
Configure firewall rules to allow access only from authorized management networks
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the UrbanCode/DevOps Deploy servers
- Enable detailed session logging and monitoring to detect any unauthorized session access attempts
🔍 How to Verify
Check if Vulnerable:
Check the installed version via the UrbanCode/DevOps Deploy web interface or server logs, and compare against affected version rangesCheck Version:
Check the 'About' section in the web interface or examine server startup logs for version informationVerify Fix Applied:
After patching, verify the version number shows the fixed version and test session management from different IP addresses📡 Detection & Monitoring
Log Indicators:
- Multiple session creation events from different IP addresses in rapid succession
- Session invalidation logs followed by immediate re-authentication from different IP
Network Indicators:
- Unusual session traffic patterns between different source IPs
- Rapid session establishment from geographically disparate locations
SIEM Query:
source="urbancode.log" AND ("session created" OR "session invalidated") | stats count by src_ip, session_id | where count > 1