Security News > 2020 > June > Critical Remote Code Execution Vulnerabilities Patched in IBM WebSphere
Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.
Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.
Tint0 reported the issues to IBM through Trend Micro's Zero Day Initiative, which last week published advisories for each of the vulnerabilities.
The security holes that allow remote code execution are tracked as CVE-2020-4450 and CVE-2020-4448, and they are caused by "The lack of proper validation of user-supplied data, which can result in deserialization of untrusted data."
One of the vulnerabilities is related to the BroadcastMessageManager class and it allows arbitrary code execution with SYSTEM privileges, while the other is related to the handling of the IIOP protocol and it can allow code execution with root privileges.
News URL
Related news
- Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution (source)
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Ivanti fixes critical vulnerabilities in Endpoint Management (CVE-2024-29847) (source)
- Patch Issued for Critical VMware vCenter Flaw Allowing Remote Code Execution (source)
- Critical Flaw in Microchip ASF Exposes IoT Devices to Remote Code Execution Risk (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-05 | CVE-2020-4448 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. | 10.0 |
| 2020-06-05 | CVE-2020-4450 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. | 10.0 |