A vulnerability affecting IBM”s WebSphere has been reported by security researcher Maurizio Agazzini, but the company requested censorship of the proof-of-concept.
Although working with the company in developing a fix and patching affected products, IMB has allegedly pressured the developer into removing the proof-of-concept for the vulnerability, as it could have still affected customers yet to install the fix. While Agazzini complied, it wasn”t without posting an excerpt of the email received from IBM.
Reported under CVE-2016-5983, the vulnerability affects IBM”s WebSphere versions 7, 8, 8.5, and 9, by allowing “remote authenticated users to execute arbitrary Java code via a crafted serialized object”. Successfully exploiting the vulnerability could lead to DoS (denial-of-service) attacks and even remote execution of malicious code.
While the PoC has since been removed, details on how the attack can be reproduced are still available and anyone with the right technical skills can write their own PoC.
“The attack can be reproduced as follows:
IBM”s response to inquiries on why they specifically asked the security researcher to drop the proof-of-concept suggests they”re mostly interested in their customer”s safety, as some might not be able to timely apply the patch.
“Though the patch is now available, we understand many organizations can’t always apply patches immediately,” said IBM. “While not the normal IBM practice, in this specific case, we asked for some of the exploit details to be redacted to protect vulnerable users and allow them time to patch.”
tags
Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past few years.
View all postsNovember 14, 2024
September 06, 2024