Security News > 2020 > June > Critical Remote Code Execution Vulnerabilities Patched in IBM WebSphere
Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.
Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.
Tint0 reported the issues to IBM through Trend Micro's Zero Day Initiative, which last week published advisories for each of the vulnerabilities.
The security holes that allow remote code execution are tracked as CVE-2020-4450 and CVE-2020-4448, and they are caused by "The lack of proper validation of user-supplied data, which can result in deserialization of untrusted data."
One of the vulnerabilities is related to the BroadcastMessageManager class and it allows arbitrary code execution with SYSTEM privileges, while the other is related to the handling of the IIOP protocol and it can allow code execution with root privileges.
News URL
Related news
- Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications (source)
- Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited (source)
- HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities (source)
- OvrC Platform Vulnerabilities Expose IoT Devices to Remote Attacks and Code Execution (source)
- Patch Tuesday: Four Critical Vulnerabilities Paved Over (source)
- Critical vulnerabilities persist in high-risk sectors (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-05 | CVE-2020-4448 | Deserialization of Untrusted Data vulnerability in IBM products IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. | 9.8 |
| 2020-06-05 | CVE-2020-4450 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. | 9.8 |