Security News > 2021 > February > IBM Squashes Critical Remote Code-Execution Flaw

IBM Squashes Critical Remote Code-Execution Flaw
2021-02-23 19:36

IBM has patched a critical buffer-overflow error that affects Big Blue's Integration Designer toolset, which helps enterprises create business processes that integrate applications and data.

"By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash," according to IBM's Monday security advisory.

Specifically, CVE-2020-27221 exists in Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is fully compliant with JRE. "Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products," according to IBM. IBM Integration Designer versions 8.5.7, 19.0.0.2, 20.0.0.1 and 20.0.0.2, which use JRE versions 7 and 8, are affected.

IBM also patched a slew of high-severity flaws in its IBM Planning Analytics Workspace; a web-based interface for IBM Planning Analytics that provides an interface to create and analyze content.

The flaw "Could provide weaker than expected security, caused by not having entity expansion secured properly," according to IBM. "A remote attacker could exploit this vulnerability to launch XML external entity attacks to have impact over data integrity."

In April, four serious security vulnerabilities in the IBM Data Risk Manager were identified that can lead to unauthenticated remote code execution as root in vulnerable versions, according to analysis - and a proof-of-concept exploit is available.


News URL

https://threatpost.com/ibm-critical-remote-code-execution-flaw/164187/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-01-21 CVE-2020-27221 Out-of-bounds Write vulnerability in Eclipse Openj9
In Eclipse OpenJ9 up to and including version 0.23, there is potential for a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding.
network
low complexity
eclipse CWE-787
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
IBM 735 215 2758 1258 245 4476