IBM Products Apache Commons Collections Deserialization Vulnerability Allowing Remote Code Execution

A vulnerability exists in several IBM products, including WebSphere Application Server, Cognos Controller, Watson Explorer, Watson Content Analytics, and Sterling B2B Integrator. This vulnerability arises from the deserialization of Java objects by the Apache Commons Collections library, specifically the InvokerTransformer class, which can lead to arbitrary code execution on the affected system.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected system.

Reproduction

The vulnerability can be reproduced by sending a crafted serialized Java object that exploits the InvokerTransformer class in the Apache Commons Collections library. This can be done through interfaces that accept serialized objects, such as certain web services or application endpoints.

Remediation

Users can upgrade to the latest versions of the affected products. For IBM WebSphere Application Server, apply Fix Pack 8 or later. For IBM Cognos Controller, upgrade to version 10.2.1 FP2 IF2, 10.2 FP1 IF4, 10.1.1 FP3 IF4, or 10.1 IF6. IBM Watson Explorer and Watson Content Analytics users should install the latest available patches. IBM Sterling B2B Integrator users can upgrade to version 5.2.5.0 or 5.2.6.0, depending on their current version.