IBM WebSphere Application Server Network Deployment – Remote Code Execution Vulnerability

Issued: November 16, 2022

 

Impacted Product

ALL Infor Lawson 10.0.X application customers, Infor Landmark version 11 and version 10 application customers, Infor Business Intelligence for Lawson 10.6 customers, and Mobile Supply Chain Management 11 customers deployed on-premises or managed by Infor (Infor Cloudsuite single tenant cloud customers do not need to take any action).

 

Vulnerability Summary

 

A security vulnerability due to ‘Dojo’ CVE-2021-23450 CVSS 9.8 has been identified by IBM® within the IBM WebSphere® Application Server Network Deployment (WAS ND) 8.5 used by the Infor Lawson 10.0.X applications and the Infor Landmark version 11 and version 10 applications deployed on-premises.

 

It is recommended for customers to take immediate action to mitigate this threat.

 

Background:

IBM has addressed this vulnerability. IBM interim fix (iFix) PH43148 resolves the problem.

IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo (CVE-2021-23450 CVSS 9.8).

 

Action Steps:

Lawson and Landmark on-premises customers must install IBM interim fix PH43148.

ALL on-premises Lawson 10.0.X application customers and Landmark version 11 and version 10 application customers must apply the IBM WebSphere Application iFix patch as directed in the Infor Support Portal’s knowledge base (KB) article 2275124, title “IBM WebSphere Application Server Network Deployment – Remote Code Execution Vulnerability.”