Qradar RemoteJavascript Servlet have Java Deserialization vulnerability

There is a Full Disclosure where I might think it will use for some system administrator to ensure their system been secure. Lately, Java Deserialization vulnerability has been found in Qradar RemoteJavascript Servlet file.

For those are not aware of the vulnerability, this vulnerability will be able for the malicious attacker or remote attacker to even execute any malicious and arbitrary command on the system.

The full details of the vulnerability can be seen as follows:

  • Vulnerabilities CVE: CVE-2020-4280
  • CvssV3 score: 8.8 High (NVD) and 6.6 Medium (IBM Corporation)
  • Vendor score: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD) and CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (IBM Corporation)
  • Affected machine: IBM QRadar SIEM 7.3 and 7.4

How it works?

This vulnerability can exploit the vulnerability when a group of attacker creating a malicious serialized object that might lead to several attacks such as follows:

  • Denial Of Service
  • Change of System Settings
  • Execution of arbitrary code

By this action, it will result by insecure deserialization of any Java deserialization function that been supported with user-supplied content. A malicious attacker will send a bunch of malicious serialized Java object which can lead to exploiting the vulnerability via an arbitrary command on the system.

The vulnerability URL can be seen as been shown below:

  • /remoteJavaScript
  • /remoteMethod
  • /JSON-RPC/*

Source: Java deserialization vulnerability in QRadar RemoteJavaScript Servlet

Author: Wan Ariff

He brings with him working experience in Information Security filed which specializing in Penetration Testing and Digital Forensic. His passion is more to IT Security

Leave a Reply

Your email address will not be published. Required fields are marked *