IBM WebSphere eXtreme Scale's OQL is affected by remote code execution
IBM WebSphere Extreme Scale 8.6.1.0 through 8.6.1.6 's Object Query Language engine resolves attacker-supplied class names via Class.forName() and invokes their constructors with no allow-list at three distinct sinks (SELECT NEW, enum literals, and reflection-based comparators); an authenticated remote attacker who can influence an application-built OQL query string can execute arbitrary constructors on the WAS JVM, and a SELECT DISTINCT variant using planted grid values fires the same gadget post-readObject in a manner that survives JEP-290 serialization filters across grid node boundaries
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-470 | CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
Type: CWE
Description: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H