IBM SDK, Java Technology Edition 7.1.5.18 and 8.0.8.0 could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization flaw. By sending specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 236069.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sdk | Ibm | * | 7.1.5.19 (excluding) |
| Sdk | Ibm | 8.0 (including) | 8.0.8.5 (excluding) |
| Red Hat Enterprise Linux 7 Supplementary | RedHat | java-1.8.0-ibm-1:1.8.0.8.5-1jpp.1.el7 | * |
| Red Hat Enterprise Linux 8 | RedHat | java-1.8.0-ibm-1:1.8.0.8.5-1.el8_8 | * |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.