IBM WebSphere Java Object Deserialization RCE
Critical Nessus Plugin ID 87171
SynopsisThe remote WebSphere Application Server is affected by a remote code execution vulnerability.
DescriptionThe remote IBM WebSphere Application Server is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted SOAP request, to execute arbitrary code on the target host.
SolutionApply the appropriate interim fix per the vendor advisory.
Alternatively, ensure that all exposed ports used by the WebSphere Application Server are firewalled from any public networks.