A vulnerability affecting IBM’s WebSphere has been reported by security researcher Maurizio Agazzini, but the company requested censorship of the proof-of-concept.
Although working with the company in developing a fix and patching affected products, IMB has allegedly pressured the developer into removing the proof-of-concept for the vulnerability, as it could have still affected customers yet to install the fix. While Agazzini complied, it wasn’t without posting an excerpt of the email received from IBM.
Reported under CVE-2016-5983, the vulnerability affects IBM’s WebSphere versions 7, 8, 8.5, and 9, by allowing “remote authenticated users to execute arbitrary Java code via a crafted serialized object”. Successfully exploiting the vulnerability could lead to DoS (denial-of-service) attacks and even remote execution of malicious code.
While the PoC has since been removed, details on how the attack can be reproduced are still available and anyone with the right technical skills can write their own PoC.
“The attack can be reproduced as follows:
- Create an application with custom form authentication
- After user login, the LtpaToken2 is set by the application server
- Make an HTTP GET request that contains the WASPostParam cookie.”
IBM’s response to inquiries on why they specifically asked the security researcher to drop the proof-of-concept suggests they’re mostly interested in their customer’s safety, as some might not be able to timely apply the patch.
“Though the patch is now available, we understand many organizations can’t always apply patches immediately,” said IBM. “While not the normal IBM practice, in this specific case, we asked for some of the exploit details to be redacted to protect vulnerable users and allow them time to patch.”