Vulnerabilities > CVE-2019-4279 - Deserialization of Untrusted Data vulnerability in IBM Websphere Application Server

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
ibm
CWE-502
critical
nessus
metasploit
NVD
Published: 2019-05-17
Updated: 2023-02-03

Summary

IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. IBM X-Force ID: 160445.

Vulnerable Configurations

Part Description Count
Application
Ibm
52

Common Weakness Enumeration (CWE)

Metasploit

descriptionThis module exploits untrusted serialized data processed by the WAS DMGR Server and Cells. NOTE: There is a required 2 minute timeout between attempts as the neighbor being added must be reset.
idMSF:EXPLOIT/WINDOWS/IBM/IBM_WAS_DMGR_JAVA_DESERIALIZATION_RCE
last seen2020-06-14
modified2019-06-11
published2019-05-16
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/ibm/ibm_was_dmgr_java_deserialization_rce.rb
titleIBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution

Nessus

NASL familyWeb Servers
NASL idWEBSPHERE_CVE-2019-4279.NASL
descriptionThe IBM WebSphere Application Server running on the remote host is version 7.0.x, 8.5.0.0 through 8.5.5.15, or 9.0.0.x through 9.0.0.11. It is, therefore, potentially affected by an unspecified remote code execution vulnerability.
last seen2020-06-01
modified2020-06-02
plugin id125630
published2019-05-31
reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/125630
titleIBM WebSphere Application Server Virtual Enterprise 7.0.x / Network Deployment 8.5.x < 8.5.5.16 / Network Deployment 9.0.0.x <= 9.0.0.11 Remote Code Execution Vulnerability (CVE-2019-4279)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(125630);
  script_version("1.4");
  script_cvs_date("Date: 2020/02/06");

  script_cve_id("CVE-2019-4279");
  script_bugtraq_id(108450);

  script_name(english:"IBM WebSphere Application Server Virtual Enterprise 7.0.x / Network Deployment 8.5.x < 8.5.5.16 / Network Deployment 9.0.0.x <= 9.0.0.11 Remote Code Execution Vulnerability (CVE-2019-4279)");
  script_summary(english:"Reads the version number from the SOAP and GIOP services.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web application server is affected by a remote code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The IBM WebSphere Application Server running on the remote host is
version 7.0.x, 8.5.0.0 through 8.5.5.15, or 9.0.0.x through 9.0.0.11.
It is, therefore, potentially affected by an unspecified remote code
execution vulnerability.");
  script_set_attribute(attribute:"see_also", value:"https://www-01.ibm.com/support/docview.wss?uid=ibm10883628");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM WebSphere Application Server Network Deployment
8.5.5.16 or 9.0.5.0 or later. Alternatively, upgrade to the minimal
fix pack levels required by the interim fix and then apply Interim
Fix PH116556.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-4279");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'IBM Websphere Application Server Network Deployment Untrusted Data Deserialization Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/31");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("websphere_detect.nasl");
  script_require_ports("Services/www", 8880, 8881, 9001);
  script_require_keys("www/WebSphere", "Settings/ParanoidReport");

  exit(0);
}

include("vcf.inc");
include("http.inc");

app = "IBM WebSphere Application Server";
get_install_count(app_name:app, exit_if_zero:TRUE);

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:8880, embedded:FALSE);

app_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);

vcf::check_granularity(app_info:app_info, sig_segments:4);

fix = "Interim Fix PH116556";
constraints = [
  {"min_version":"7.0.0.0", "max_version":"7.9.9.9", "fixed_version":fix},
  {"min_version":"8.5.0.0", "max_version":"8.5.5.15", "fixed_version":"8.5.5.16 or " + fix},
  {"min_version":"9.0.0.0", "max_version":"9.0.0.11", "fixed_version":"9.0.5.0 or " + fix}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

References