Security News > 2020 > June > Critical Remote Code Execution Vulnerabilities Patched in IBM WebSphere

Critical Remote Code Execution Vulnerabilities Patched in IBM WebSphere
2020-06-09 12:15

Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.

Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.

Tint0 reported the issues to IBM through Trend Micro's Zero Day Initiative, which last week published advisories for each of the vulnerabilities.

The security holes that allow remote code execution are tracked as CVE-2020-4450 and CVE-2020-4448, and they are caused by "The lack of proper validation of user-supplied data, which can result in deserialization of untrusted data."

One of the vulnerabilities is related to the BroadcastMessageManager class and it allows arbitrary code execution with SYSTEM privileges, while the other is related to the handling of the IIOP protocol and it can allow code execution with root privileges.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/b_jJvkyyu1Y/critical-remote-code-execution-vulnerabilities-patched-ibm-websphere

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-06-05 CVE-2020-4448 Deserialization of Untrusted Data vulnerability in IBM products
IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources.
network
low complexity
ibm CWE-502
critical
9.8
2020-06-05 CVE-2020-4450 Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server
IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects.
network
low complexity
ibm CWE-502
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
IBM 736 216 2774 1264 248 4502