Security Bulletin: Remote code execution vulnerability in WebSphere Application Server ND (CVE-2020-4448)

Summary

There is a remote code execution vulnerability in WebSphere Application Server Network Deployment. This has been addressed.

Vulnerability Details

CVEID:CVE-2020-4448
**DESCRIPTION:**IBM WebSphere Application Server Network Deployment could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181228 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical.

For WebSphere Application Server ND traditional and WebSphere Application Server ND Hypervisor Edition:

For V9.0.0.0 through 9.0.5.3:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH25216
--OR–
· Apply Fix Pack 9.0.5.4 or later (targeted availability 2Q2020).

For V8.5.0.0 through 8.5.5.17:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH25216
--OR–
· Apply Fix Pack 8.5.5.18 or later (targeted availability 3Q2020).

For WebSphere Virtual Enterprise Edition:

**For V8.0:
· **Apply Interim Fix PH25216

For V7.0:
· Apply Interim Fix PH25216

_WebSphere Virtual Enterprise V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _

Workarounds and Mitigations

None