Security News > 2020 > June > Critical Remote Code Execution Vulnerabilities Patched in IBM WebSphere
Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.
Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.
Tint0 reported the issues to IBM through Trend Micro's Zero Day Initiative, which last week published advisories for each of the vulnerabilities.
The security holes that allow remote code execution are tracked as CVE-2020-4450 and CVE-2020-4448, and they are caused by "The lack of proper validation of user-supplied data, which can result in deserialization of untrusted data."
One of the vulnerabilities is related to the BroadcastMessageManager class and it allows arbitrary code execution with SYSTEM privileges, while the other is related to the handling of the IIOP protocol and it can allow code execution with root privileges.
News URL
Related news
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- OpenAI now pays researchers $100,000 for critical vulnerabilities (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Adobe Patches 11 Critical ColdFusion Flaws Amid 30 Total Vulnerabilities Discovered (source)
- Critical Erlang/OTP SSH Vulnerability (CVSS 10.0) Allows Unauthenticated Code Execution (source)
- Most critical vulnerabilities aren’t worth your attention (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-05 | CVE-2020-4448 | Deserialization of Untrusted Data vulnerability in IBM products IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. | 9.8 |
| 2020-06-05 | CVE-2020-4450 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. | 9.8 |