Blog
02.01.2021

CVE-2020-4949: IBM WebSphere Application Server - XXE attack

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.

1.1        Vulnerability Summary

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. 

CVE-2020-4949: IMB WebSphere App Server (XXE). Virsec Risk Index: 68%

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base score of this vulnerability is 8.2 High as per NVD. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

1.3        Affected Version

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0

1.4        Vulnerability Attribution

These vulnerabilities were discovered and reported by IBM Corporation.

1.5        Risk Impact

WebSphere Application Server is a software product that performs the role of a web application server. More specifically, it is a software framework and middleware that hosts Java-based web applications. It is the flagship product within IBM's WebSphere software suite.

Per this website WebSphere is used heavily by top enterprises as below:

 Companies Currently Using IBM WebSphere Application Server

Exploiting this vulnerability can lead to exfiltration of sensitive data via an XXE attack and can facilitate lateral movement between workloads. There are no publicly available exploits.

1.6        Virsec Security Platform (VSP) Support:

VSP-APG has capability that can detect XXE attacks and prevent this attack from being exploited.

 

1.7        Reference Links:

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.