IBM Support

webMethods Knowlegebase : Security vulnerability: Unsafe Java Object Deserialization (1777939)

Troubleshooting


Problem

There is a potential vulnerability in deserialization of IData pipelines.

The internal protocol used for transmission of IData pipelines on Integration Server has a feature that supports serialized Java objects.

This poses a risk as, under certain conditions, it is possible to exploit Java applications performing unsafe deserialization of objects to achieve arbitrary code execution. While the vulnerability itself lies in the application performing unsafe deserialization, exploitation of this issue depends on finding property-oriented programming "gadget chains" in libraries used by the application. These gadgets can then be used to construct a malicious serialized payload. While no gadgets to achieve code execution have been found, it is almost certain that with enough time, a motivated attacker could construct a payload to achieve remote code execution through the libraries that are used by Integration Server. Additionally, no vulnerable libraries are needed to exploit the unsafe java deserialization.

Document Location

Worldwide


[{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVYEV","label":"IBM webMethods Integration"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"9.12"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFIWYE","label":"IBM webMethods B2B"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"9.12"},{"Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQG2X","label":"IBM webMethods Managed File Transfer"},"ARM Category":[{"code":"a8mKe00000000AQIAY","label":"webMethods Integration Server (PIE)"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Red Hat Enterprise Linux"}],"Version":"9.12"}]

To view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use the link to actual document below to access the full document. You will be asked to log on if you are not already logged in. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

link to actual document

Document Information

More support for:
IBM webMethods Integration

Component:
webMethods Integration Server (PIE)

Software version:
9.12

Operating system(s):
Red Hat Enterprise Linux

Document number:
7221055

Modified date:
20 March 2025

UID

ibm17221055

Manage My Notification Subscriptions

Page Feedback