WebSphere Remote Code Execution Vulnerability (CVE-2020-4534) Threat Alert

WebSphere Remote Code Execution Vulnerability (CVE-2020-4534) Threat Alert

September 4, 2020 | Adeline Zhang

1. Vulnerability Description

On July 31, 2020, Beijing time, IBM released a security bulletin which addressed a remote code execution vulnerability (CVE-2020-4534) in WebSphere Application Server (WAS). The vulnerability is caused by improper handling of UNC paths. An authenticated local attacker could exploit the vulnerability to execute arbitrary code. The vulnerability has a CVSS score of 7.8.

The vulnerability (CVE-2020-4534) was discovered and reported to IBM by NSFOCUS Security Labs. Experts said that the vulnerability could be exploited in combination with the vulnerability (CVE-2020-4450) reported by NSFOCUS to IBM, which allowed an unauthenticated attacker to execute arbitrary code on a target server and gain system privileges, thereby taking over the server. Affected users are advised to fix the vulnerability to mitigate the risks incurred by it.

Reference links:

https://www.ibm.com/support/pages/node/6255074
https://www.ibm.com/support/pages/node/6254980

2. Scope of Impact

Affected versions

  • WebSphere Application Server 9.0
  • WebSphere Application Server 8.5
  • WebSphere Application Server 8.0
  • WebSphere Application Server 7.0

3. Check for the Vulnerability

  • Version Check

Users can choose IBM Installation Manager-> Update to view the installed software packages and revisions and check whether the patch PH26092 is installed. If information about the patch is found, the users are not affected by the vulnerability.

Alternatively, users can search for PH26083 in the installed.xml file under the Installation Manager directory and check whether the patch is installed. If information about the patch PH26083 is found, the users are not affected by the vulnerability.

4. Mitigation

4.1 Official Fix

Currently, the vendor has released patches to fix the vulnerability and provided security patches to the versions for which official support is no longer available. Affected users are advised to install the patches as soon as possible.

Affected users can upgrade with IBM Installation Manager by applying the patch PH26083 as prompted.

Users can also download and install the patches from the official website of IBM.

Link for downloading the patches: https://www.ibm.com/support/pages/node/6254980

Note: Please disable the WebSphere service before installing the patches and start the service after patch installation.

4.2 Protection with NSFOCUS Products

Users of NSFOCUS Network Intrusion Prevention System (NIPS) and NSFOCUS Network Intrusion Detection System (NIDS) can upgrade to the latest versions by installing rule update packages, in order to detect and protect against vulnerability exploits. The following table lists rule base versions of security products:

ProductRule Base VersionDownload LinkRule ID
NIPS, NIDS5.6.10.23150http://update.nsfocus.com/update/downloads/id/107144[24981] CVE-2020-4534;   [24980] CVE-2020-4450
5.6.9.23150http://update.nsfocus.com/update/downloads/id/107143

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.