Websphere Extreme Scale
Monthly
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.
Denial of service in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 allows adjacent unauthenticated attackers to crash the WebSphere Application Server JVM by sending malformed XDF-encoded Protocol Buffers messages to the data grid. The XDF decoder fails to enforce bounds on recursive protobuf message nesting depth and attacker-supplied length prefixes, triggering either a StackOverflowError or OutOfMemoryError that takes down the JVM process. No public exploit has been identified at time of analysis, and IBM has released a patch via their support advisory.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0-8.6.1.6 arises because three bundled ObjectInputStream subclasses (WsObjectInputStream, ObjectStreamPool$ReusableInputStream, ObjectInputStreamResolver) deserialize untrusted data without any JEP-290 lookahead class filter. When Oracle Coherence is present on the classpath, confirmed working gadget chains (RemoteConstructor.readResolve, PriorityQueue/ExtractorComparator) let a low-privileged authenticated attacker who can write a session attribute - or a LAN-adjacent attacker on the unauthenticated grid replication wire - run arbitrary code on peer WebSphere Application Server JVMs. A vendor patch is available; there is no public exploit identified and EPSS is low (0.29%), but IBM confirms the gadget chains function, giving total technical impact per SSVC.
Arbitrary constructor invocation (leading to code execution) in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 lets an authenticated remote attacker who can influence an application-built Object Query Language (OQL) query force the engine to resolve attacker-named classes via Class.forName() and instantiate them without any allow-list. Three distinct sinks are affected (SELECT NEW, enum literals, and reflection-based comparators), and a SELECT DISTINCT variant using planted grid values triggers the gadget post-readObject in a way that bypasses JEP-290 serialization filters across grid nodes. There is no public exploit identified at time of analysis and EPSS is low (0.27%), but the CVSS 9.9 scope-changing impact makes this a high-priority patch for exposed grid deployments.
Remote code execution in IBM WebSphere eXtreme Scale 8.6.1.0 through 8.6.1.6 arises from roughly 50 generated CORBA stub classes in the shipped ogclient.jar that invoke ORB.string_to_object() on an attacker-controlled IOR string during Java deserialization, converting any unfiltered ObjectInputStream sink in the surrounding WebSphere Application Server into outbound IIOP server-side request forgery. When chained with the IBM ORB getUserException class-instantiation flaw (tracked as WAS-26), that SSRF escalates to code execution on the calling JVM. CVSS is 10.0 (scope-changed, full CIA impact); EPSS is 3.01% (86th percentile) and there is no public exploit identified at time of analysis.
Denial of service in IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 allows adjacent unauthenticated attackers to crash the WebSphere Application Server JVM by sending malformed XDF-encoded Protocol Buffers messages to the data grid. The XDF decoder fails to enforce bounds on recursive protobuf message nesting depth and attacker-supplied length prefixes, triggering either a StackOverflowError or OutOfMemoryError that takes down the JVM process. No public exploit has been identified at time of analysis, and IBM has released a patch via their support advisory.