IBM SDK Java Technology Vulnerability Enables Remote Execution of Unauthorized Code

IBM SDK’s Java Technology Edition has identified a critical vulnerability that permits unauthorized code execution due to unsafe deserialization. This flaw, assigned CVE ID CVE-2022-40609, exists in the Object Request Broker (ORB), a middleware component facilitating remote procedure calls (RPC) between networked computers, while maintaining location transparency.

The vulnerability, classified as CVE-2022-40609: Unsafe Deserialization Flaw, enables a remote attacker to execute arbitrary code by transmitting specially crafted data. It has been assigned a high-risk CVSS Score of 8.1.

The products impacted and their respective versions are:

  • IBM SDK, Java Technology Edition: Versions and earlier, with a fix available in Version
  • IBM SDK, Java Technology Edition: Versions and earlier, with a fix in Version

This issue is categorized under CWE-502: Deserialization of Untrusted Data in the Common Weakness Enumeration.

In response, Red Hat has issued patches for Red Hat Enterprise Linux 7 Supplementary and Red Hat Enterprise Linux 8. Notably, Red Hat Enterprise Linux 7 with Java 1.7.1-ibm is outside the support scope, as per Red Hat’s policies and advisory.

Additionally, Tenable has released Nessus plugins for detecting this vulnerability:

  • Plugin ID 179134: “IBM Java 7.1 < / 8.0 <” with a CRITICAL severity rating.
  • Plugin ID 179054: “RHEL 7: java-1.8.0-ibm (RHSA-2023:4160)” rated as HIGH severity.

Users are advised to update to the latest versions to mitigate the risk from potential exploitation by threat actors.

Scroll to Top