Security News > 2021 > February > IBM Squashes Critical Remote Code-Execution Flaw

IBM has patched a critical buffer-overflow error that affects Big Blue's Integration Designer toolset, which helps enterprises create business processes that integrate applications and data.

"By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash," according to IBM's Monday security advisory.

Specifically, CVE-2020-27221 exists in Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is fully compliant with JRE. "Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products," according to IBM. IBM Integration Designer versions 8.5.7, 19.0.0.2, 20.0.0.1 and 20.0.0.2, which use JRE versions 7 and 8, are affected.

IBM also patched a slew of high-severity flaws in its IBM Planning Analytics Workspace; a web-based interface for IBM Planning Analytics that provides an interface to create and analyze content.

The flaw "Could provide weaker than expected security, caused by not having entity expansion secured properly," according to IBM. "A remote attacker could exploit this vulnerability to launch XML external entity attacks to have impact over data integrity."

In April, four serious security vulnerabilities in the IBM Data Risk Manager were identified that can lead to unauthenticated remote code execution as root in vulnerable versions, according to analysis - and a proof-of-concept exploit is available.

News URL

https://threatpost.com/ibm-critical-remote-code-execution-flaw/164187/