CVE-2020-4276, CVE-2020-4362: WebSphere Application Server Privilege Escalation Vulnerability Alert

CVE-2020-4276 [1] and CVE-2020-4362 [2] are privilege escalation vulnerabilities in the IBM WebSphere Application Server discovered by Noxxx at Chaitin Tech. By exploiting this vulnerability, a remote and unauthorized attacker can privilege escalation and then execute arbitrary malicious code on the target server to obtain system permissions.

WebSphere Application Server is a high-performance Java middleware server developed by IBM, which can be used to build, run, integrate, protect and manage deployed dynamic cloud and Web applications. It not only ensures high performance and flexibility but also provides a variety of open standard programming model options, designed to maximize developer productivity.

IBM WebSphere Application Server traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector.

Noxxx at Chaitin Tech reported this vulnerability to IBM officially in January this year, and then IBM confirmed the vulnerability and released the corresponding patch PH21511, assigned the vulnerability number CVE-2020-4276. But researchers immediately found that the patch PH21511 did not seem to have the effect of fixing the vulnerability, so researchers communicated with the official again. After final confirmation, the IBM released the patch PH23853 again, assigning the vulnerability number CVE-2020-4362. Therefore, the two CVE numbers are actually the same vulnerability.

Affected version

• WebSphere Application Server 9.0.x
• WebSphere Application Server 8.5.x
• WebSphere Application Server 8.0.x
• WebSphere Application Server 7.0.x

Solution

• WebSphere Application Server 9.0.x: Update security patches PH21511 and PH23853
• WebSphere Application Server 8.5.x: Update security patches PH21511 and PH23853
• WebSphere Application Server 8.0.x: Upgrade to version 8.0.0.15 , And then update the security patches PH21511 and PH23853
• WebSphere Application Server 7.0.x: upgrade to version 7.0.0.45, and then update the security patches PH21511 and PH23853