IBM WebSphere flaw allows remote code execution

The IBM security team has issued an official statement regarding fixes to mitigate a remote code execution vulnerability (tracked as CVE-2020-4450) in the WebSphere Application Server (WAS) product. Apparently, the vulnerability exists due to the deserialization of the IIOP protocol.

WebSphere Application Server is a software product that fulfills the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within the IBM WebSphere software package.

According to the report, threat actors could exploit this flaw remotely on the WAS server using the vulnerable protocol, executing arbitrary code on the target server to eventually take control of the server completely. The flaw received a score of 9.8/10 according to the Common Vulnerability Scoring System (CVSS), so it is considered a critical flaw.

The vulnerability resides in the following versions of WAB:

  • WebSphere Application Server 9.0.0.0 – 9.0.5.4
  • WebSphere Application Server 8.5.0.0 – 8.5.5.17
  • WebSphere Application Server 8.0.0.0 – 8.0.0.15
  • WebSphere Application Server 7.0.0.0 – 7.0.0.45

IBM developers announced the release of a security patch a few days ago, and an additional patch was announced for the unsupported version of WAS. There are no known workarounds for this flaw, so it is recommended that users of affected deployments install the updates as soon as possible.