Java Deserialization Vulnerability in WebSphere Application Server

By May 29, 2019 June 5th, 2019 Alerts, Legacy, Patching

Guidance on Java Deserialization Vulnerability in WebSphere Application Server ND (CVE-2019-4279)

Security Bulletin

IBM issued a security bulletin on Wednesday 15th May that advised of a critical vulnerability affecting IBM WebSphere Application Server 8.5 and 9.0, which could allow a remote attacker to execute arbitrary code on the system with a specially-crafted sequence of serialized objects from untrusted sources. This vulnerability has a CVSS Score of 10.

Non-Waratek customers should apply the WebSphere interim fix, Fix Pack or PTF from IBM as soon as possible. Note that WebSphere Application Server must be shutdown before applying the iFixes and must be restarted after applying the iFixes.

Waratek Customer Advice

  • Existing Waratek Secure and Waratek Enterprise customers who have enabled the deserialization zero-day (CWE-502) rule in protect mode, are already protected. No further action is required.
  • Existing Waratek Patch customers who have enabled the Process Forking ARMR rule in protection mode, are already protected.
  • Waratek’s ARMR platform provides complete remediation to this zero-day critical vulnerability and therefore, Waratek customers do not have to apply IBMs patch for CVE-2019-4279 with urgency.
  • All Waratek customer users can enable the corresponding rules for instant protection without having to restart the WebSphere Application Server.
  • Non-Waratek customers who are affected by this IBM WebSphere vulnerability, as well as those using inefficient solutions based on pattern matching and signatures, should contact Waratek at

Java DeserializationWhat is the Deserialization vulnerability and what are the challenges in providing a solution?


Author Waratek

Some of the world’s leading companies use Waratek to patch, secure and upgrade their mission critical web applications using our next generation technology. Waratek makes it easy for security teams to instantly patch known Java and .NET flaws with no downtime, protect their applications from known and Zero Day attacks, and virtually upgrade out-of-support Java applications – all without time consuming and expensive source code changes or unacceptable performance overhead.

More posts by Waratek