Remote Code Execution Vulnerabilities in IBM Operational Decision Manager, and IBM i Modernization Engine for Lifecycle Integration (CVE-2019-19919, CVE-2019-12384)

Advisory No: TZCERT/SA/2024/05/17-6

Date of First Release: 17^th May 2024

Source: IBM

Software Affected: IBM Operational Decision Manager, IBM i Modernization Engine for Lifecycle Integration

Overview:

IBM applications are vulnerable to critical vulnerabilities. The attackers can leverage the vulnerability to execute arbitrary code on the affected system.

Description:

IBM Operational Decision Manager, IBM i Modernization Engine for Lifecycle Integration are affected by critical vulnerability rated at 9.8 and tracked as CVE-2019-19919 and CVE-2019-12384. The vulnerabilities exist in Node.js handlebars and FasterXML jackson-databind. The attackers can send specially crafted messages to execute arbitrary code on the vulnerable system.

Impact:

Successful exploitation of these vulnerabilities may allow an attacker to take control of affected system.

Solution:

IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References:

1. https://exchange.xforce.ibmcloud.com/vulnerabilities/173388
2. https://exchange.xforce.ibmcloud.com/vulnerabilities/162849