IBM Support

webMethods Knowlegebase : Security vulnerability: Unsafe Java Object Deserialization (1777939)

Troubleshooting


Problem

There is a potential vulnerability in deserialization of IData pipelines.

The internal protocol used for transmission of IData pipelines on Integration Server has a feature that supports serialized Java objects.

This poses a risk as, under certain conditions, it is possible to exploit Java applications performing unsafe deserialization of objects to achieve arbitrary code execution. While the vulnerability itself lies in the application performing unsafe deserialization, exploitation of this issue depends on finding property-oriented programming "gadget chains" in libraries used by the application. These gadgets can then be used to construct a malicious serialized payload. While no gadgets to achieve code execution have been found, it is almost certain that with enough time, a motivated attacker could construct a payload to achieve remote code execution through the libraries that are used by Integration Server. Additionally, no vulnerable libraries are needed to exploit the unsafe java deserialization.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"9.12"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"9.12"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"9.12"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
20 March 2025

UID

ibm17221055

Page Feedback