CVE-2020-4589 IBM WebSphere Application Server 7.0, 8.0, 8.5 and 9.0

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities.

Vulnerability Summary

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects from untrusted sources. The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system. The vulnerability only occurs if an undocumented customization has been applied by an administrator.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 9.8 (Critical)

Affected Version

IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0.

Vulnerability Attribution

As per IBM, this vulnerability was reported to IBM by Kylinking of NSFOCUS Security Team.

Risk Impact

IBM WebSphere Application Server is a set of Java-based tools designed for network administrators, web developers, and software engineers. It enables users to develop and host Java-based web applications, build and manage websites, and manage multiple technologies in a single interface. As per HG Insights, WebSphere is been used in various industries like Banking, Health, Software manufacturers, etc. for high traffic. Based on link, below is the adoption graph by industry, most the companies with high traffic uses WebSphere.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system. This is going to have an impact on confidentiality, integrity, and availability of these critical machines. No publicly available exploits are available for this vulnerability.

Virsec Security Platform (VSP) Support

VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.