IBM SDK’s Java Technology Edition has identified a critical vulnerability that permits unauthorized code execution due to unsafe deserialization. This flaw, assigned CVE ID CVE-2022-40609, exists in the Object Request Broker (ORB), a middleware component facilitating remote procedure calls (RPC) between networked computers, while maintaining location transparency.
The vulnerability, classified as CVE-2022-40609: Unsafe Deserialization Flaw, enables a remote attacker to execute arbitrary code by transmitting specially crafted data. It has been assigned a high-risk CVSS Score of 8.1.
The products impacted and their respective versions are:
- IBM SDK, Java Technology Edition: Versions 8.0.8.0 and earlier, with a fix available in Version 7.1.5.19.
- IBM SDK, Java Technology Edition: Versions 7.1.5.18 and earlier, with a fix in Version 8.0.8.5.
This issue is categorized under CWE-502: Deserialization of Untrusted Data in the Common Weakness Enumeration.
In response, Red Hat has issued patches for Red Hat Enterprise Linux 7 Supplementary and Red Hat Enterprise Linux 8. Notably, Red Hat Enterprise Linux 7 with Java 1.7.1-ibm is outside the support scope, as per Red Hat’s policies and advisory.
Additionally, Tenable has released Nessus plugins for detecting this vulnerability:
- Plugin ID 179134: “IBM Java 7.1 < 7.1.5.19 / 8.0 < 8.0.8.5” with a CRITICAL severity rating.
- Plugin ID 179054: “RHEL 7: java-1.8.0-ibm (RHSA-2023:4160)” rated as HIGH severity.
Users are advised to update to the latest versions to mitigate the risk from potential exploitation by threat actors.