Security News > 2020 > June > Critical Remote Code Execution Vulnerabilities Patched in IBM WebSphere
Two critical vulnerabilities patched recently by IBM in its WebSphere Application Server product can be exploited by a remote, unauthenticated attacker to execute arbitrary code with elevated privileges.
Two of the flaws have been rated critical and they can be exploited for remote code execution, while the third has been classified as high severity and it can lead to information disclosure.
Tint0 reported the issues to IBM through Trend Micro's Zero Day Initiative, which last week published advisories for each of the vulnerabilities.
The security holes that allow remote code execution are tracked as CVE-2020-4450 and CVE-2020-4448, and they are caused by "The lack of proper validation of user-supplied data, which can result in deserialization of untrusted data."
One of the vulnerabilities is related to the BroadcastMessageManager class and it allows arbitrary code execution with SYSTEM privileges, while the other is related to the handling of the IIOP protocol and it can allow code execution with root privileges.
News URL
Related news
- Critical flaws in Mongoose library expose MongoDB to data thieves, code execution (source)
- Elastic Releases Urgent Fix for Critical Kibana Vulnerability Enabling Remote Code Execution (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- IBM scores perfect 10 ... vulnerability in mission-critical OS AIX (source)
- Ongoing Cyber Attacks Exploit Critical Vulnerabilities in Cisco Smart Licensing Utility (source)
- OpenAI now pays researchers $100,000 for critical vulnerabilities (source)
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Adobe Patches 11 Critical ColdFusion Flaws Amid 30 Total Vulnerabilities Discovered (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-06-05 | CVE-2020-4448 | Deserialization of Untrusted Data vulnerability in IBM products IBM WebSphere Application Server Network Deployment 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. | 9.8 |
| 2020-06-05 | CVE-2020-4450 | Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server IBM WebSphere Application Server 8.5 and 9.0 traditional could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. | 9.8 |