Two critical vulnerabilities recently patched by IBM in its product WebSphere Application Server can be exploited to execute arbitrary code with elevated privileges by a remote, unauthenticated attacker.
A security researcher who uses the online pseudonym tint0 discovered in April that three potentially severe deserialization issues affect WebSphere Application Server, the Java EE-based runtime environment at IBM. Two of the vulnerabilities have been rated critical and can be exploited for remote code execution, while the third has been rated high severity and can result in disclosure of details.
Tint0 reported the issues to IBM through the Zero Day Initiative (ZDI) of Trend Micro which published advisories for each of the vulnerabilities last week. IBM reported the bugs mid-April.
The security holes that allow remote code execution are tracked as CVE-2020-4450 and CVE-2020-4448, and are caused by “lack of proper validation of user-supplied data, which may lead to deserialization of untrusted information.”
One of the vulnerabilities is related to the BroadcastMessageManager class, allowing arbitrary code execution with SYSTEM privileges, while the other is related to IIOP protocol handling, and allowing root privileged code execution.
The manipulation, according to IBM, involves sending a specially crafted series of serialized objects. WebSphere Application Server 8.5 and 9.0 are affected, and WebSphere Virtual Enterprise Version is affected by CVE-2020-4448 too.
The high-severity flaw identified by tint0 is also related to deserialization of IIOP, and may result in disclosure of information. A remote attacker can use a specially crafted sequence of serialised objects to exploit the vulnerability without authentication.
The vendor has released patches for each of the vulnerabilities, and there is no evidence of malicious exploitation.