Vulnerabilities in IBM WebSphere Application Server Could Allow for Remote Code Execution

Three critical vulnerabilities have been discovered in IBM WebSphere Application Server that could allow for remote code execution. It was reported to IBM by tint0 working with Trend Micro Zero Day Initiative and Kylinking of NSFOCUS Security Team.

IBM WebSphere Application Server is a software framework and middleware that hosts Java-based web applications. Successful exploitation of this vulnerability could allow an attacker to execute remote code in the context of the affected application.

Two of the vulnerabilities tracked as CVE-2020-4450 and CVE-2020-4448 are remote code execution issues that have been rated as critical, the third one tracked as CVE-2020-4450 is an information disclosure flaw rated as high severity.

Both CVE-2020-4450 and CVE-2020-4448 have received a CVSS Score of 9.8. They are caused by the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data.

The CVE-2020-4450 issue occurs when serializing an object from an untrusted source. This could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects. The issue exists due to how the IBM Websphere Application Server handles the Internet Inter-ORB Protocol.

The CVE-2020-4448 issue resides in the BroadcastMessageManager class and it could be exploited to execute arbitrary code execution with SYSTEM privileges. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IBM WebSphere. Authentication is not required to exploit this vulnerability.

The third vulnerability, tracked as CVE-2020-4449, affects the IIOP deserialization and it can lead to information disclosure. It could be exploited by a remote, unauthenticated attacker by sending a specially crafted sequence of serialized objects.

The flaws affect IBM WebSphere Application Server 8.5 and 9.0, while the CVE-2020-4448 also impacts WebSphere Virtual Enterprise Edition.

Risk:

The level of risk to different user groups and entities are as follows:

  • Large and medium government/Business entities: HIGH
  • Small government/Business entities: MEDIUM
  • Home Users: LOW

Impact:

Successful exploitation of this vulnerability could allow an attacker to execute remote code in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition.

Recommendations

It is recommended to consider the following best practices:

  • Upgrade to the latest version of IBM WebSphere Application Server immediately, after appropriate testing.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.