IBM has patched a critical buffer-overflow error that affects Big Blue’s Integration Designer toolset, which helps enterprises create business processes that integrate applications and data. If exploited, the flaw could enable remote code execution.
The flaw (CVE-2020-27221) has a CVSS base score of 9.8 out of 10, making it critical in severity. It stems from an issue in versions 7 and 8 of Java Runtime Environment (JRE), which is used by IBM Integration Designer toolset.
JRE is a software layer that runs on top of a computer’s operating system (OS), and enables Java to run seamlessly on any system regardless of its OS.
What is a Buffer-Overflow Flaw?
The flaw is a stack-based buffer-overflow error. This is a class of vulnerability where the region of a process’ memory that’s used to store dynamic variables (the heap) can be overwhelmed.
“By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” according to IBM’s Monday security advisory.
The error exists when the virtual machine (VM) or Java Native Interface converts characters from UTF-8 to platform encoding. Java Native Interface is a programming framework that enables Java code running in a Java VM to call native applications and libraries written in other languages.
IBM didn’t provide further information about what type of privileges an attacker would need, where they would need to send the string or the initial attack vector.
IBM Integration Designer Affected
Specifically, CVE-2020-27221 exists in Eclipse OpenJ9, a high-performance, scalable, Java VM implementation that is fully compliant with JRE.
“Contributed to the Eclipse foundation by IBM, the OpenJ9 JVM underpins the IBM SDK, Java Technology Edition, which is a core component of many IBM Enterprise software products,” according to IBM.
IBM Integration Designer versions 8.5.7, 18.104.22.168, 22.214.171.124 and 126.96.36.199, which use JRE versions 7 and 8, are affected. The vulnerability was first reported on Dec. 16 via the Eclipse Foundation, which is a global community of Eclipse open source software development members. A fix can be found here for each affected version of IBM Integration Designer.
Another vulnerability (CVE-2020-14782) was fixed, stemming from the JRE implementation in IBM Integration Designer. This “unspecified” vulnerability existed in Java SE and was related to the Libraries component. However, according to IBM it had “no confidentiality impact, low integrity impact and no availability impact.”
IBM Planning Analytics Workspace High-Severity Flaws
IBM also patched a slew of high-severity flaws in its IBM Planning Analytics Workspace; a web-based interface for IBM Planning Analytics that provides an interface to create and analyze content. The flaws exist specifically in Release 61 of the Local v2.0 for Planning Analytics Workspace.
Another flaw (CVE-2020-25649) exists in the FasterXML Jackson Databind, used to convert JSON to and from Plain Old Java Object (POJO) using property accessor or using annotations.
The flaw “could provide weaker than expected security, caused by not having entity expansion secured properly,” according to IBM. “A remote attacker could exploit this vulnerability to launch XML external entity (XXE) attacks to have impact over data integrity.”
IBM Continues Security-Flaw Fix Campaign
IBM previously issued various fixes for vulnerabilities, including ones in Spectrum Protect Plus in September. This is Big Blue’s security tool that’s found under the umbrella of its Spectrum data storage software branding. The flaws could be exploited by remote attackers to execute code on vulnerable systems.
In August, a shared-memory flaw was discovered in IBM’s next-gen data-management software that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
And in April, four serious security vulnerabilities in the IBM Data Risk Manager (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis – and a proof-of-concept exploit is available.
Threatpost WEBINAR: Is your small- to medium-sized business an easy mark for attackers? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.