Critical vulnerability in IBM WebSphere Application Server

Vulnerability reporting is an essential part of a collaborative environment in the cybersecurity community. This work often facilitates the work of computer security firms, which are sometimes overrun by the number of exploitable errors that occur at any given time.

This time, IBM revealed the presence of a critical security vulnerability in its WebSphere Application Server product. If exploited, this vulnerability could allow threat actors to launch denial of service (DoS) attacks. In the cybersecurity report, IBM mentions that the flaw, tracked as CVE-2019-4720, can be triggered by sending specially crafted requests. A remote threat actor could exploit the vulnerability to exhaust server memory resources, generating the DoS condition.

Apparently, the vulnerability is present in WebSphere Application Server versions 9.0. 8.5, 8.0, and 7.5; so far there are no known workarounds to fix this flaw, so users are strongly advised to install updates released by the company.

In addition to the updates, IBM released a guide to update the affected deployments for WebSphere Application Server and WebSphere Application Server Hypervisor Edition between 9.0.0.0 and 9.0.5.2. System administrators willing to know more details can find the full cybersecurity report on IBM’s official platforms.

This has been a busy week for IBM. A few days ago, the company released a report on the finding of three critical vulnerabilities in various products; the exploitation of these flaws would have allowed threat actors to take full control of the compromised network, so an emergency update was released.

The most serious of these security issues is XML External Entity Injection (XXE) vulnerability in IMB Security Access Manager V9.0.7.1. The vulnerability, tracked as CVE-2019-4707, is triggered when processing XML data; a remote attacker could exploit the flaw to expose sensitive information or exhaust the target system memory. The flaw received a score of 7/10 on the Common Vulnerability Scoring System (CVSS) scale.

There are also no workarounds for IBM failures reported above, so the company recommends installing official security patches to mitigate any exploit risk.