—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in IBM WebSphere Application Server

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

IBM WebSphere Application Server 8.5 and 9.0

Overview

Multiple vulnerabilities have been reported in IBM WebSphere Application which could be exploited by an attacker for identify spoofing and remote code execution on the targeted system.

Target Audience:

All end-users and organisations using IBM WebSphere Application Server.

Risk Assessment:

High risk of unauthorised access.

Impact Assessment:

Potential impact on confidentiality, integrity, availability of the system and application outages.

Description

IBM WebSphere Application Server (WAS) is a software platform that provides a runtime environment for enterprise-level Java applications. It is a part of IBMs middleware offerings, primarily used for building, deploying, and managing Java-based applications, including Java EE (Enterprise Edition) applications.

Multiple vulnerabilities exist in IBM WebSphere Application Server due to improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On component and deserialization of untrusted data via JAX-WS endpoints with WS-Security.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code and identity spoofing to bypass security restrictions on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.ibm.com/support/pages/node/7274733

https://www.ibm.com/support/pages/node/7274738

https://www.ibm.com/support/pages/node/7274740

Vendor Information

IBM

https://www.ibm.com/support/pages/node/7274733

https://www.ibm.com/support/pages/node/7274738

https://www.ibm.com/support/pages/node/7274740

References

IBM

https://www.ibm.com/support/pages/node/7274733

https://www.ibm.com/support/pages/node/7274738

https://www.ibm.com/support/pages/node/7274740

CVE Name

CVE-2026-9311

CVE-2026-9319

CVE-2026-8644

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoi4EMACgkQ3jCgcSdc

ys9p9A/+PI/czGB2eN0T5o4mK/j7F/3yPXFJk/GdKWUhojhMMn6u0wZ+n55LOy5A

UXlAbDetfYg5NuvIbYKViSlIuTmQBI2cXGbqJLQqnY+TrzwMTXR4KJNKMVfPEcup

pKrYz6rwF2sYY0OAID7By8ltb1P/BrQ+/hXK4VcA+eb5cmX0gGllp2uKOXQZNuiP

IqKJayKu4+ABSvOfO5SfT9YwOvdw773dleu0772XmsVfyIsl0/aX64v5TWouohj8

RBcpmlGtmyhgIxZMaC2ZE7jbvC2ERGVKsL6ae+DL2olQABV7DuhiyqWD7dhkMb0B

1Dvw9qm7aFIA7Dl80wVqtT9nJluTsGTTsoU70fxcDQAhmmqG56qWJOBqZ1+o8zkF

BsVykjfc6N98EdetIYYivnxnANJ2Dpk9TWbVxtu7hwwTe9/SDRTLH9ysZGg+RDuF

l4axuVC6LGhAiW/5IpZmZ7MbMmL9ZoDvSbJDJqO+xh0dmP+faw02jtbwsh6Ip5SU

sJNFTiTwSiBkSgYCrvxZ3V1UQj3rP+uENrzGA/aGBoTLB0GfrWWGDlXZsih4TaSZ

9ptVya8lXSDfl7SuMkgfRwwPdnMXtQcRatZ0ObJpc3FhbGdfZOgkVumYDXVSD/cv

czHTbOSc4zmKN7tWghrWNNj2JBIsLZtJxzFtJxBvSuhso5jpZzo=

=sZz3

—–END PGP SIGNATURE—–